Monday, May 2, 2011

U.S. cyber war doctrine: Endemic Stupidity

In my post on what a REAL cyber war with China might look like, I touched on some basic assumptions we seem to be making that are just plain wrong. In his book Cyber War, Richard Clarke inadvertently nails one of our biggest conceptual weaknesses (page 213):
The cyber experts at Black Hat were asked at the 2009 meeting whether they thought the problem of attribution was as important as some suggest, that is, is it really that hard to figure out who is attacking you, and does knowing who attacked you really matter? To a person, they answered that attribution was not a major issue to them. It was not that they thought it was easy to identify the attacker; rather, they just did not care who it was…their chief concern was getting the system back to normal and preventing that kind of attack from happening again. Their experience dealing with the FBI had convinced most of them that it was hardly worth it even to report to law enforcement when they had been attacked.
 THE BIG CYBER WAR CONCEPTUAL WEAKNESS: ATTRIBUTION. The people in the business of protecting American corporate infrastructure "…just [do] not care who [the attacker is]…" Why not? You've got to read between the lines separating the last sentence of the above quote from the rest of the paragraph. It's not just that reporting an attack to the FBI is a waste of time. It's that to identify the real source of the attack breaks U.S. cyber law. Because to backtrack the attack means you must "roach" the chain of attacking systems, which is against the law.

Unfortunately for my concept of cyber privateering, ATTRIBUTION is critical to retribution and the key element an underwriter would face in authorizing execution of a Letter of Marque and Reprisal under the terms of my Cyber Privateer Code. Period. Paragraph 4 to be precise:
4. Innocent victims whose assets are directly and mistakenly confiscated by cyber privateers (and whose funds are not returned within 10-days after the parley) shall be compensated in an amount equal to one-hundred times their loss, with interest accruing on the restitution amount at the rate of twelve percent per annum. This does not include victims of the cyber criminals, since they were already victimized.
Bottom line, if we're stuck playing defense, it's not a matter of "if" but of "when" we will be dealt a fatal cyber blow. There is no deterrent in place if we do not have a formally stated response doctrine, a Morgan Doctrine if you will. Anything less is…stupid.

Period. Paragraph. End of discussion.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?