The 'O' Word: Offense vs. Defense in Cyber
Jun. 10, 2013 - 06:00AM |
WASHINGTON — Offensive attack, attack back, active defense, defensive response. All of these phrases can refer to the same activity — using cyber force to stop an attacker.
But choosing a way to describe that response can be tricky, a linguistic complication created by advances in technology and a policy world still struggling to find a place for cyber.
Part of the difficulty lies in a deep-seated aversion to describing any government endeavor as offensive. The US fights wars with an agency called the Department of Defense (DoD). But as cyber capabilities have advanced, so has the difficulty in finding ways to describe attacks used for defensive purposes.
“Offense and defense are tied at the hip, and at sufficiently advanced technical levels, offense and defense merge,” said Ed Skoudis, a cyber expert with the SANS Institute who has taught many military and intelligence community cyber defenders.
“Offensive techniques can be used to achieve defensive ends, defensive means can be used to achieve offensive ends, and often, the skills are identical.”
One example is the idea of cyber reach-back, a term used by experts to describe going after attackers’ systems. Defense News ran an article May 27 that described efforts to codify this use of cyber force in the Standing Rules of Engagement as “offensive efforts.” Several DoD officials objected to the description, instead referring to the capabilities as “defensive response,” focusing on the intent of the use of cyber force.
Intent is one of the criteria some experts use to define the use of cyber force.
“Offensive is when you’re doing things that are unprovoked,” said Bob Ackerman, founder of Allegis Capital. “This is where you run into some sensitivity within the Department of Defense. The posture is one of protecting; it comes down to what is the intent.”
Ackerman said that recently, the use of cyber force is more frequently being described under the term “active defense.”
“A couple of years ago, when people were talking about offensive cyber technology, that’s what today we call active defense,” he said. “The technology is so far ahead of the rules that we’re struggling with this. When is the best defense a good offense? Do you wait for them to bring it to you, or do you reach out and engage them in their turf on your terms?”
But active defense is a phrase that’s exceedingly difficult to define. Every expert interviewed for this article had a different definition of the phrase.
“Active cyber defense is a complete Rorschach,” said Jason Healey, director of the cyber Statecraft Initiative of the Atlantic Council. “Whatever person you’re talking to, whatever thing a person has in mind that they’re not currently allowed to do, that’s what active defense is.”
One of the distinctions Healey said might be used is differentiating the types of tools from the overall cyber action.
“There’s certainly a spectrum when you’re doing a counteroffensive thing that’s still defensive, but we still call it a counteroffensive move,” Healey said.
The one agreement seems to be that programs like Olympic Games, which featured the cyber attack in the form of Stuxnet, are clearly offensive.
But the use of offense is gaining traction as a necessary component of defense, said Ian Wallace, a visiting fellow with the Brookings Institution and a former official with the British Ministry of Defence who helped develop the UK’s cyber strategy.
“Throughout the history of conflict, there has always been a view that one of the best forms of defense is attack, and that is certainly a view held by some of those in the cyber field,” he said. “It’s also true that in cyber, unlike in many other forms of conflict, the most tricky problem is gaining access rather than the destruction itself. And therefore, one of the best ways to protect yourself could be considered to be getting to the attacker before they get to you.”
US companies, often the target of attacks for data theft but without legal authority to go after their attackers, have quietly been doing it for some time, Skoudis said.
“We all know that companies have hired people to attack back; we’ve all been approached for that,” he said.
The problem, from an international relations standpoint, is that attacks that might be defined as defensive action by one country might not be so defined by another, Wallace said.
“Given the potential for miscalculation in cyber conflict, anybody who engages in active defense has to factor into their decision the possibility that the other side sees whatever you’re doing as an attack, even if you believe that it’s a legitimate way of defending yourself from an attack,” he said.
That question of understanding could be critical as the US considers options to deal with increasing attacks from China, a topic President Barack Obama was due to raise with Chinese President Xi Jinping over the weekend.
Obama Talks Cyber With China
Tension between the US and China has been heating up for months, as the administration has begun to publicly point the finger at China for significant breaches and data theft. In a historic move, the Defense Department named China as the likely source of attacks in its annual report on China delivered to Congress last month.
And in February, the Obama administration released a document that outlined plans to increase diplomatic pressure on countries that have engaged in data theft. The strategy, which was clearly aimed at China, said that diplomats would be raising the issue of theft in upcoming meetings.
“The Department of State will track scheduled diplomatic engagements and meetings by senior administration officials with governments of countries where there are regular incidents of trade secret theft or that may be complicit in trade secret theft,” the document said. “During these meetings, senior administration officials will deliver appropriate messages to their foreign counterparts to express the administration’s focus on reducing incident of trade secret theft, including improved legal frameworks, stronger enforcement of existing laws and strong and efficient remedies for trade secret owners.”
In April, when Secretary of State John Kerry visited China, the two countries agreed to set up a working group to address cybersecurity issues. Now, Obama will have his chance to further the discussion.
“A lot has been put on the table recently: US requests China to stop theft of intellectual property, China requests demilitarization of cyberspace, many countries want to exercise more government control over their segments of cyberspace,” said Eneken Tikk-Ringas, senior fellow for cybersecurity at the International Institute for Strategic Studies.
“To move things forward for the international community as a whole, these goals need to be first addressed between the key players and only after some clarity between them be brought back to tables of the UN or regional organizations. All in all, it is about time for all those interests and requests to prove their weight and right to life in the international community,” Tikk-Ringas said.
Part of the problem with talks may be that the Chinese government doesn’t have complete control over the People’s Liberation Army cyber wing, said Jun Isomura, senior fellow at the Hudson Institute. “I do not know whether the PLA’s cyber arm is controllable by the new administration in Beijing,” he said. “Beijing may not even know what the PLA is doing.”
That may be part of the reason the Chinese government has denied any activity in cyber attacks, which is the biggest problem for negotiations, Isomura said.
“At present, China is denying it,” he said. “If they don’t acknowledge it, some sort of sanction should be considered. This is a national security issue.”