In cyberspace it is generally thought that offense has the advantage over defense because defenders must be perfect and attackers only have to be successful once. It is also commonly thought that the U.S. has the biggest space to defend because of its heavy reliance on networks for everyday life and military operations. So how can the U.S. meet such a defensive challenge and why haven’t we seen more “real” cyberattacks that cause physical destruction or the loss/changing of data (rather than DDOS or website defacing)?
The equation gets a little more complex the more I think about it. My first idea is that such attacks might have happened or are happening but companies and governments are not publically admitting to being victims for a variety of understandable reasons. Beyond that three key elements have to coalesce for an attack to occur. Attackers need motivation, whether that be financial, political-social, or military in nature. They also need the opportunity and means to conduct the attack. Each of these are readily available online for DDOS style attacks (it doesn’t cost much to rent a Botnet) or hacking websites, but not as readily available for pathways into and exploits for SCADA systems for example. Even with the right tools and motivation, an attacker must pick and choose the right time to attack to maximize the damage or impact. The journey to launching a potential attack doesn’t end there.
The USG and some corporations have gotten increasingly better at attribution, and at least the government has begun to lay out the groundwork for what types of attacks it will and won’t tolerate/respond aggressively to. While cyber deterrence is a hotly debated issue, some level or degree (even if minute) of deterrence may be happening at this very moment. Add this deterrence to the above checklist of why and how an actor conducts an attack and you’ve successfully narrowed the pool of potential attackers from every script kiddie with an internet connection down to a set of skilled and motivated hackers who are not deterred by potential retaliations and are actively going after the U.S.
This is how we must view our defensive challenge.
I’d argue we can meet this particular challenge. The obvious first step is to increase our defenses. It is a costly but necessary step for the U.S. government and every private corporation. The private sector offers the government some of the best defensive products and intelligence services to meet this goal. But, as a whole, the private sector also often fails to use these commercially available computer defense products to protect their own networks. A corollary to that is conducting active defense and pushing out the defensive perimeter as far as possible. No matter how you define active defense, it must be an intelligence driven process so that some attacks never even get launched/reach their target.
What other steps do you think the USG or corporations should take to meet the defensive challenge we face in cyberspace?