RAND Corporation this week became the latest independent research firm to implore government and law enforcement agencies as well as private-sector IT firms to step up their efforts and get serious about a developing a comprehensive battle plan for fighting cyber terrorism in the U.S. and around the globe.
The highly respected nonprofit organization’s study, titled “Cyberdeterrence and Cyberwar,” concludes that the U.S. and other nations dependent on externally accessible computer networks, particularly the ones used for electric power, telephone service, banking and military command and control, are in great danger of falling victim to a coordinated cyber attack.
“Adversaries in future wars are likely to go after each other’s information systems using computer hacking,” said Martin Libicki, the report’s lead author and senior management scientist at RAND, a nonprofit research organization. “The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks. Cyberspace must be addressed in its own terms.”
The study results come on the heels of Wednesday’s landmark bust of 100 alleged cyber thieves in a coordinated international investigation spearheaded by the FBI and Egyptian authorities.
The crackdown, called Operation Phish Phry, marks the largest cyber fraud prosecution in U.S. history and illustrates just how important cooperation is and will be for law enforcement in different jurisdictions and countries in order to stem the exponential surge in cyber attacks.
The RAND study found that military cyber attacks are most effective when part of a specific combat operation — such as silencing a surface-to-air missile system protecting an important target — rather than as part of a core element in a long, drawn-out military or strategic campaign.
Libicki said it’s difficult to determine how destructive a cyber attack would be. Damage estimates from recent cyber attacks within the United States range from a few billion dollars to hundreds of billions of dollars a year.
Cyber warfare is ambiguous, the report continues, and that it is rarely clear what attacks can damage deliberately or collaterally, or even determine afterward what damage was done. The identity of the attacker may be little more than guesswork, which makes it hard to know when someone has stopped attacking. The cyber attacker’s motivation, especially outside physical combat, may be equally unclear.
“This is not an enterprise where means and ends can be calibrated to one another,” Libicki said. “As a result, it is ill-suited for strategic warfare.”
During this week’s McAfee FOCUS 09 security conference in Las Vegas, CEO Dave DeWalt didn’t mince his words during a keynote address outlining the security software vendor’s battle plan for fighting everything from nation- or organization-sponsored cyber terrorism to run-of-the-mill spam attacks.
“At least 20 countries have invested in cyber warfare,” he said. “We see it almost everyday. To protect our assets, it’s about learning from our history — learning lessons that shape our strategy and help us to evolve our protection.”
DeWalt also advocated increasing both the breadth and depth of the Security Innovation Alliance (SIA), an organization he described as “the NATO” of security software, which brings together more than 20 different vendors for the purpose of sharing techniques and technologies to cyber crime.
RAND’s Libicki points out that weapons of cyber warfare are “amorphous,” eliminating the traditional approaches the U.S. and other countries have taken to arms control. More troubling, military networks mostly use the same hardware and software as civilian networks and must endure and resolve similar vulnerabilities.
The RAND study recommends the U.S. first pursue diplomatic, economic and prosecutorial efforts against cyber attackers rather than make strategic cyber warfare a priority investment because it’s often impossible to attribute any single attack to a specific adversary and there’s little or no opportunity to counterattack once the damage has been done.
