27 June 2015

The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace.


Summary: Why defense experts obsess about the relative advantages of different military hardware (e.g., the A-10 vs the F-35), the US has unleashed the tools of cyberwar on Iran. We can expect more in the future, begun by friends and foes. So let’s learn the rules. Today Marcus Ranum explains the nature of attack and defense in cyberwar, and the advantages of each. {@nd of 2 posts today.}

My 2014 presentation “Never Fight a Land War in Cyberspace” compared key elements of warfare in the real world with warfare in cyberspace, exploring the interchangeability of tactics and strategy in those domains. I expected that “cyberwar” would have similar underlying principles as regular war, but found that “cyberwar” bears no resemblance to warfare at all — tactically or strategically. Of course it fits in the overall grand strategy of conflct and power, but our tendency to reason by analogy breaks down quickly here.

In this series I will lift some of the main themes from that presentation and give them the more detailed explanation they deserve.

I will use two terms as shorthand.

“Cyberwar“, which I do not think is a real thing, as shorthand for “conflict in cyberspace” — which I consider real. This series continues my attempt to explain why “cyberwar” is not a useful concept; unfortunately, the term has taken on a life of its own. Caveat Emptor.

“Topological warfare” as shorthand for the idea of warfare that is bound to a real-world existence. The real-world-ness of topological warfare is the basis for what we know as military strategy and tactics; it’s an environment in which armies have to eat and cannot move at light speed, etc. The topological nature of warfare deeply penetrates virtually all of our thinking about strategy and tactics.

“The Best Defense is a Strong Offense”

This military maxim is one of the first things commanders learn, It’s a good rule for topological warfare and has been through the ages. Why is it a good rule? Here we’ll explore why it’s a good rule in topological warfare using two forms of war: generalized modern warfare, and kendo, the Japanese art of fencing. By exploring these two different aspects of topological warfare we can better understand why the best defense can often be a strong offense. Then we will explore whether those properties apply to cyberwar and, by extension, whether the maxim holds true in that domain.

“The transition from defensive to the offensive is one of the most difficult operations in war.”

— Napoleon Bonaparte, XIX of his Military Maxims.

Bonaparte was referring to one of the most crucial problems in topological warfare: the intersection of command and logistics. Offense is not simply a problem of deciding your target and moving your forces towards it — unless you want to lose. As he demonstrated at Austerlitz, if your opponent can be caught flat-footed in the middle of re-reploying or maneuvering in the wrong direction, they are a better target. Their command and control system is already stressed from the effort of getting them moving, and there will be an inevitable lag-time to exploit while they re-orient on the new threat. By aggressively maneuvering on your enemy (strong offense) you force them to react to you, which means that you’ve eaten up some of their capacity immediately by stressing their command and control — as well as their troops tactical ability to maneuver.

At Austerlitz, this worked perfectly because the Russian army’s tactical responsiveness was already outclassed by the French, and the Russian command and control capability simply wasn’t as good, either. When presented with a French army bearing down on them from an unexpected direction, in the middle of a grand maneuver, the Russian command structure was not competent to respond fast enough, and the troops weren’t either – the end was a foregone conclusion.

The late master strategist John Boyd (Colonel, USAF) established his own language for talking about this interaction with his famous observation-orientation-decision-action (OODA) loops. If you can think faster on your feet than your enemy, you can have your enemy always responding to you and have tremendous controlling influence on their actions. In Boyd’s world the best defense is a strong offense because, even if you’re not as good a pilot as Boyd, you can force him to respond to your first moves, at least, which gives you a chance. If you’re up against John Boyd, you hope for a sucker-punch and, if you get one, you’ve done better than most.

The quintessential example of this is the spoiling attack or sucker punch. If you face numerically superior forces, you launch an attack against their assembly areas and attempt to disrupt their tactical maneuvering and (hopefully) their command authority will make a mistake or their command and control might break down, giving you an opportunity to defeat the attack in detail. The Israeli opening of The Six-Day war is a great example of a successful spoiling attack.

Launching a spoiling attack immediately forces the target to respond locally or risk defeat in detail, which gives the attacker the most wonderful military advantage of all: having chosen the time, place, and composition of the battle.

Disorder is born from order; cowardice from courage; weakness from strength. The line between disorder and order lies in logistics; between cowardice and courage in strategic advantage; and between weakness and strength in strategic positioning. Thus the expert at getting the enemy to make his move shows himself and the enemy is sure to follow.

— Sun Tzu’s “The Art Of War

In Kendo, when you are a beginner, they teach you to throw simple attacks at your opponent before he does, because — if you can keep up a good flow of attacks — your opponent will have to parry them. If your strikes are properly launched, the position of your sword as it sweeps up and down will protect your head against your opponent’s being able to hit you and your opponent only has the alternative of blocking, or attempting the much more difficult cut at your wrist or torso.

Miyamoto Musashi by Utagawa Kuniyoshi (1797-1861)

Besides, my sensei explained to me, “even the best sometimes make a mistake.” If you can launch a flurry of attacks you are controlling the rhythm of the engagement, are keeping your opponent too busy to plan their own attack, and you may get lucky. Of course an opponent of superior skill will expect this, and have prepared a counter-attack with the idea of drawing your sword out of line so that they can predict where it will be and attack around it.

When you decide to attack, keep calm and dash in quickly, forestalling the enemy.

— Miyamoto Musashi’s The Book of Five Rings (~1645).

The best defense is also a strong offense when using a drawing attack. An expert might attack the opponent’s wrist having learned that their usual response to that attack is to step back and raise their sword; now they control the opponent’s movement and distance and can set them up for a successful attack at the torso.

To summarize: the best defense is a strong offense because it forces the enemy to respond, giving the attacker better control over the timing, nature, and terrain of the engagement. Whether it’s the heights at Austerlitz or the opponent’s wrist you are maneuvering on, a strong offense allows you to take the initiative.
Meanwhile, in Cyberspace

Offense in cyberwar immediately begs the question: “Who?” The first thing we need to think about is who to attack, where, and how. But immediately we have a problem: in cyberspace your enemy doesn’t exactly have a logistics train; there are no assembly points ripe for a spoiling attack.

Unlike topological warfare, we can’t see where they are maneuvering, so we can’t even reliably tell when we are about to come under attack. During The Six Day War, Israel had a plausible basis to say their spoiling attack was justified because there were masses of troops and tanks forming up outside their borders – how do we get that level of certainty or targeting in cyberspace?

If one country is preparing a cyberwar attack against another, it’s not as if they will begin massing their routers on the border. In fact the network, one-one-thousandth of a second before the attack will look exactly like it did a week before; In a kendo match, you can see your opponent’s sword and react to their body’s movements but in cyberwar your opponent has an invisible sword. Actually, your opponent is more or less completely invisible.

This leads me to offer my first military maxim of conflict in cyberspace:

Napoleon Bonaparte would throw up his hands in disgust! Mushashi would hang up his sword in despair! How can you launch a spoiling attack against an opponent that does not even appear on the battlefield until their attack is launched? There is no opportunity to strike first, let alone parry, such an attack. You simply have to withstand it. And withstanding it is easy: you can choose to simply vanish from the battle-space for the time being by powering off parts of your infrastructure.

Being able to withstand attacks is crucial, and it completely inverts the cost/benefit analysis between offense and defense that got us to where we are in topological warfare. In topological warfare, a less skilled combatant can easily attack and hope for a sucker punch, but in cyberspace it is easier for a less skilled combatant to defend; they just unplug their network.

Some of you are thinking “unplugging a network isn’t possible anymore!”. That’s not the case. Translate “unplug” to “build a resilient network with a recoverable infrastructure that can survive multiple points of failure” and you’re on the right track. To stick with the kendo-based analysis, in cyberspace you can be like The Black Knight in Monty Python, “’tis but a scratch!”

In fact, if you are competent at building systems and networks, you are probably already building in a fair degree of resilience and recovery capability. This is, however, a weakness in most organizations’ cyberspace defenses: the systems are oriented toward resisting and recovering from single-point failures, because that’s how computer hardware tends to break. Attacks in cyberspace cause multiple-point failures. If your survival strategy is single-point safe, it’s time to re-think.

We can see the beginning of an inversion in the cost/benefit analysis of attacking versus defending in cyberspace. It gets worse when we consider the problem of attribution. If we’re going to launch a successful spoiling attack, we have to know whose operation we’re going to spoil. Indeed, that opens up a huge strategic can of worms that I have been hiding under the table through this entire discussion: multiple opponents.
Multiple Opponents

Our strategic models for topological warfare are more deeply rooted in logistical reality than we generally recognize. In topological warfare, we think of our opponent as an individual mass: Germany in WWII or a cluster of allied powers “The Axis” All of our strategic techniques and tactical doctrines are oriented toward this model. Incidentally, that’s one reason why 4GW and terrorism are a huge problem for states to deal with: they lack a convenient and comprehensible model of “Us” versus “Them” where “Them” is not a neatly classifiable group. In a sense “The War On Terror” is an attempt to lump all violent political dissent into a single entity that can be strategized against as a whole and defeated in detail. It’s childish reasoning and it ought to be obvious why it won’t work – the enemy is not employing a single strategy that can be defeated using some all-or-nothing method.

The really bad news is: cyberspace is worse.

The logistical reality of topological warfare is that there are only so many boots you can put on the ground, and you have to move them around somehow. That doesn’t apply in cyberspace; it’s fluid.

In topological space you can look at another nation and have your intelligence forces determine that they are building up ships and planes and preparing for an attack. In a sword-fight you can see how many opponents have drawn their swords. In cyberspace you get none of that; you could be up against one, or a thousand enemies. Or none at all.

Our strategic model in topological warfare is to orient ourselves toward the enemy that is most likely to present a threat, then engage them with our best combination of offenses and defenses.. In grand strategy terms, that amounts to attempting to defeat the entire universe in detail. “Come at me, bro!” one at a time. At the level of nation-states or individual swordsmen that works. In 4GW, terrorism, and especially cyberspace, enemies are created and appear and disappear constantly. There is nothing to orient against, no attacker to prepare for. Every enemy, like every attack, can be a complete surprise.

Even if “the best defense is a strong offense” were true in cyberspace, what are you going to do, attack everyone? For budgetary reasons, this appears to be the response from Versailles On The Potomac, but the prevailing philosophy of strategy would say that if the US continues to prepare to attack everyone, it is inviting preemptive attack from everyone.

To say that Washington does not understand 4GW or cyberwar is an understatement. You can see this inconsistency manifest in how the US Government complains about “Chinese cyberspies” while simultaneously the NSA attempts to infiltrate every significant network on earth. The only path to victory in the current scenario is complete global dominance. That’s not a strategy, it is what Sun Tzu called “the noise before defeat.”

Deterrence is another element in the current strategic debacle. Obviously, Germany asking the US NSA to stop monitoring their cell phones hasn’t worked very well. Obviously the US’ asking China to stop hacking American systems hasn’t worked very well. Obviously, the idea that it’s possible to threaten or bluster someone into stopping cyberspace attacks hasn’t worked very well.

In topological warfare the usual strategic solution for that challenge is to pick someone manageable and make an example out of them. That simply cannot possibly work in cyberspace because of the problem of attribution and the potential for its manipulation. Attribution remains hard and, short of full dominance of cyberspace, is probably impossibly expensive and unreliable. I worry about this, however, because a misplaced attribution could still be sufficient to get people killed; that’s how unwise political leaders tend to be. People talk about “cyber Pearl Harbor” but we should be much more worried about “Cyber Gulf of Tonkin.”
The Best Defense

What are we to do in an environment where the received wisdom strategies are doomed to failure? We need to keep doing what most of us have been doing: perfecting our defenses. Because the single enemy model simply fails, If your defenses are really, really good, you don’t have to worry about deterring attack, or disrupting an attacker’s operations: you can just grin and bear it. Perhaps you might even gain some satisfaction imagining the expense and frustration the enemy is inflicting on themself. Since there are infinite enemies, some of which are unknown, a good defense can cost those enemies an infinite amount of frustration and expense.

I have some experience with this, and it’s sobering. I once spent a half hour, sword in hand, attempting to hit a 2nd degree black belt in kendo. I nearly ruptured my heart with fatigue and frustration and I don’t think he even broke a sweat.

To look at this from a strategic perspective I would point out that, by perfecting his defense so well, my opponent had a good chance of withstanding many, many, many attackers (though not all at once). It was expensive in terms of effort and resources to achieve such a level of defense but it more or less solved his problem of being attacked with a sword. If you extend that idea out, and realize that the cyberspace equivalent would be to be able to deflect an infinite number of attackers, equally effectively, simultaneously and long-term. A great defense is the gift that keeps on giving.

In cyberspace, the effective lifetime of a new exploit or attack is fairly short, while the effective lifetime of a good defense is much much longer. Since the invention of computer networking the idea of segmented networks with traffic controlling devices (nowadays we call them “firewalls”) has persisted and evolved because it simply works. When new offensive techniques are developed, defensive systems have to react to defeat them, but once they are defeated, they are defeated for everybody, which means that the logistical nightmare belongs to the attacker.

A carefully researched “day zero” exploit is valueless within a few days of the computer security world’s learning about it, and the attacker must develop a new one if they want to continue their offensive. The financial logistics of such a situation could only appeal to Pentagon contractors; the advantage rests with the defense.

No comments: