From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.
The long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:
Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.
And in summary:
“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”
It is unfortunate that a politruk has so much influence on US cyber security.
The US and European governments consistently adopt strategic policies that were obsolete years before they came into office.
Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.
Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.
The private – public partnership is particularly problematic in my view. The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate. And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.
Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.
Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts. At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill. I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.
Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).
Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.
The security concept proposed by Lynn is sadly divorced from reality.
[...] Why Pentagon cyber strategy is divorced from reality. | Israeli … [...]
[...] Continued here: Why Pentagon cyber strategy is divorced from reality. | Israeli … [...]
[...] View post: Why Pentagon cyber strategy is divorced from reality. | Israeli … [...]
[...] the original here: Why Pentagon cyber strategy is divorced from reality. | Israeli … Tags: adopt-strategic, again-today, flawed-assumptions, middle, obama, occurring-once, shelf-lives [...]
[...] Original post: Why Pentagon cyber strategy is divorced from reality. | Israeli … [...]
[...] View post: Why Pentagon cyber strategy is divorced from reality. | Israeli … [...]
You bring up one really good point. If the US Federal gov is serious about a cyber security strategy shouldn’t one tenant be: Migrate off of any OS that is consumer based and represents more than 20% of the installed base? Mind you, targeted attacks from spies would have no problem attacking OSX or Ubuntu but at least the military would not succumb to off the shelf malware.
Richard
Excellent insight. I agree and I think using Ubuntu would significantly reduce the threat surface – especially as it would take away the Windows USB auto-run vulnerability which is huge.
Danny
The Microsoft-Government partnership is particularly problematic since there are more than purely security/homeland security interests at stake – all of Microsoft’s commercial interests in doing business with the US Government may prove to be more seductive than national security.
D
Many of the higher echelon people at DoD are ex military with master’s degrees in either engineering or political science. Since current political science thought is lagging current international relations by at least a generation (for example – considering that religion is not a factor in international relations – an absurdity after 9/11) – it is clear that the DoD are incapable of thinking out of the box
W
Another point worth considering is the notion that one can work on reducing the profit function of terrorists – when a cyber – terrorists work for fun and Muslim suicide bombers work for Allah
W
@Stiennon
I think there might be an option for a hardened Windows version for the US government.
E
I think you’ve missed the point that Richard and I are trying to make – which is that more diversity is better security – I imagine that adopting Ubuntu in the Federal government might also have extremely good long term economic implications on the prices that the US Government pay to Microsoft for their products
Since the Obama administration (for good or worse) is keen on emulating European government culture and practices – it would behoove the DoD to lead an effort to support Linux and Free Open Source
D
I am joining this fracas a bit late but I just don’t understand the anti-Microsoft sentiments.
You are not going to be able to change reality which is that most Federal workstations run Windows. I think it’s more productive to work with Microsoft to improve security than to throw out the baby with bath water
My 2c
Dave CB
David
You make a good point but I would retort by asking what would you do if you owned a car whose maintenance and safety were more than you could afford?
D
Good day http://www.software.co.il!. I discovered your information security Website via Google but it was hard to find and I see you could have more visitors because there are not so many comments yet. Take care – John
Good point. I’m always interested in finding ways to improve accessibility of the Web