Fighting the Last War

Why a Change in Cyber Protection Strategies Is Desperately Needed

This month, I’ll be celebrating another birthday. One of the good things about getting old is that you tend to have perspective that seemed to allude us in our youth. So today, I’m going to play the “age” card and talk about perspective with regard to modern cyber warfare—that is, where we are and where I think we need to be.

When I was commissioned as a 2nd lieutenant in the United States Army in 1973, the Vietnam War was winding down. As is the case with most wars, the strategies and tactics employed in the current war sometimes lag behind—resulting in the Army fighting the “last war.” When the Vietnam War started in the 1960’s, United States military doctrine was focused on large scale, tank warfare across the European continent. The strategy and tactics followed suit to include instruction in all service schools for military personnel. While the Army was teaching tank warfare because of its historical experiences in World War II, a new brand of warfare known as guerrilla warfare was springing up in Southeast Asia. As a result, in the early stages of the Vietnam War, the United States was fighting the last war and not the current one.

Defending from the Inside Out

So what do these kinetic warfare examples have to do with cyber warfare and how we combat hackers and other cyber adversaries in the 21st century? Well, the answer is quite a bit. If you examine how both public and private sector organizations defend their critical systems today in cyberspace, it looks very much like a cyber version of a 20th century Maginot Line in France or the Allies defending the Fulda Gap in Germany. The current cyber strategy builds up perimeter defenses along a single dimension of “penetration resistance” with the objective of keeping the hackers and adversaries out of the defender’s system. But what happens when the warfare starts to look more like guerrilla warfare where most of the engagements are in small towns and villages? What if the enemy combatants are no longer deployed across a well-defined defensive perimeter but are now “behinds friendly lines” and engaging from within—embedded in your systems, your critical infrastructure, and your supply chain?

Today, we see attacks taking place on American soil across the country impacting both government agencies and companies, large and small. Cyber adversaries do not respect boundaries. In fact, one could argue the classic system boundaries no longer exist with cloud computing, mobile devices, IoT, and cyber-physical systems. The one-dimensional strategy of boundary protection and penetration resistance that proved somewhat successful in the early days of cyber defense, is no longer effective in every situation [1]. With the ever-growing attack surface represented by our connected systems, skilled hackers and cyber adversaries can routinely breach perimeter defenses and can inflict significant damage upon organizations—including stealing information, installing malicious code, bringing down critical system capabilities, and causing social division and upheaval.

Why are they successful? Because, we are employing cyber defenses that do not recognize the realities of modern, complex systems and advanced cyber warfare tactics, techniques, and procedures. Making matters worse, our infrastructure is interconnected with on-premise systems, cloud systems, and systems from partners and service providers. To address these conditions, the mindset of 21st century cyber defenders must be based on a new multi-dimension protection strategy. This includes employing sound systems security engineering concepts and principles as part of an initial system development life cycle process to achieve security as a “foundational property” of the system (much like safety, reliability, and fault tolerance). It means expanding the “single dimension” protection strategy to include second and third dimensions that can achieve defense-in-depth. However, true defense-in-depth goes beyond the employment of security controls as part of boundary protection and penetration resistance. It also includes limiting the damage adversaries can inflict after a system breach and ensuring the system is resilient—that is, having the ability to continue to operate the system, even in a degraded or debilitated state to support critical missions and business operations.

Time for Cyber Reinvention

So to return to our kinetic tank warfare analogy, today’s cyber defenders must operate in a “cyber guerrilla" warfare mode acknowledging that adversaries may be present and operating within their systems, infrastructure, and supply chain [2]. The mission is to keep them out if possible and limit the damage they can do by impeding their lateral movement, reducing their time on target, and increasing their work factor—in essence, breaking the attack chain sequence and making their lives miserable.

For far too long, we have been victims of these devastating cyber-attacks. Every week, it’s another headline, another attack, more damage and destruction to our economy and our national defense [3]. It’s time to take control of our “cyber neighborhoods” and seize the initiative so the ADVERSARIES are operating in hostile territory—in our house. We have the knowledge, skills, and ability through systems security engineering to build stronger, more penetration-resistant, and resilient systems [4]. We also have the tactics, techniques, and procedures to confuse, delay, and deceive adversaries—making them operate in a hostile, “cyber guerilla” systems environment.

It’s time to recast our cyber protection strategy so we can deter, detect, delay, deny, and ultimately defeat these cyber adversaries [5]. Former United States CISO, retired Brigadier General Greg Touhill, USAF, summed it up this way—

“The introduction of new technologies, regardless of whether it is firepower, airpower, space, or cyberspace, results in changes to the realm of conflict. Those who fail to adapt—lose. Early in the 20th century, the French decided to go with what they knew, static defense, and lost in 40 hours. At cyber speed, static defense can result in defeat in 40 milliseconds.”

The future of our country depends on choosing the correct course of action in cyberspace. Moreover, any national cyber protection strategy must involve the essential partnership—government, industry, and the academic community. That’s the partnership that got us to the moon; and that’s the partnership that can create solutions to protect the Nation.

[1]  R. Ross, “Right Strategy, Wrong Century.”

[2]  R. Ross, “The Adversaries Live in the Cracks.”

[3]  J. Miller, “SolarWinds incident should be a catalyst to rethink federal cybersecurity.”

[4]  R. Ross, “Rethinking Our View of System Security.”

[5]  R. Ross, “Protecting the Nation’s Critical Assets.”

A special note of thanks to Mark Winstead, Keyaan Williams, Greg Touhill, and Tony Cole, long-time SSE and cybersecurity colleagues, who graciously reviewed and provided sage advice for this article.