With attacks on U.S. networks increasing even as both government and industry pour more money into defense, top officials told the U.S. Senate Tuesday that the nation needs a new approach – one that presumes an eternal state of cyber-war. “I think we’ve got the wrong mental model here,” said James Peery of the Energy Department’s Sandia National Laboratories. “We’ve got to go to a model where we assume our adversary is in our networks, on our machines, and we’ve got to operate anyway, we’ve got to protect the data anyway.”
Today’s cyber-defenses are only “buying tactical breathing room… much like treading water,” agreed the acting director of the Defense Advanced Research Projects Agency, Ken Gabriel. “If you find yourself in the middle of the ocean, treading water is a good thing,” he went on, but it’s not sufficient as a long-term strategy. Today, it’s much cheaper and easier to attack a computer network than it is to defend it, the assembled experts agreed; what’s essential is to change that “cost equation.”
That disturbed Ohio Sen. Rob Portman, the top Republican on the “emerging threats” panel of the Senate Armed Services Committee, which held the hearing. “You believe,” he summed up, “[that] we can do things that make it more costly for them to hack into our systems… but you didn’t say that we can stop them.”
“We are in an environment of measures and countermeasure,” replied Zachary Lemnios, the Pentagon’s chief technology officer and assistant secretary of defense for research and engineering. As in other areas of warfare, “for every concept that’s deployed, a countermeasure is deployed by an adversary.”
“We started in computer network defense years ago with a perimeter defense,” Lemnios continued. Such systems simply tried to keep attackers from getting access in the first place but had few protections once they did get in – or if they were insiders who had legitimate access to start with and misused it, as allegedly occurred with WikiLeaks suspect Bradley Manning, the young Army soldier accused of downloading and divulging hundreds of thousands of classified documents. The best modern systems now also monitor the activity going on inside the network to find anomalies that might indicate a problem – for example, a junior intelligence analyst like Manning accessing huge numbers of documents ranging far beyond his assigned responsibilities. In the near future, Lemnios said, self-mutating networks might actually redesign themselves to neutralize a threat. But, he said, “you have an adversary that’s working to counter each of those.”
Perimeter defense – trying to keep hackers out altogether – is a losing game, the experts agreed. More effective and economical is defense-in-depth: posing one barrier after another, first to getting access, then to operating within the network, then retrieving information, and so on. Defense against foreign espionage doesn’t even try to keep all spies from entering the country, noted Sandia’s Peery; cyber-defense shouldn’t fixate on keeping all hackers from accessing the network.
Indeed, obsessing about the gross numbers of attacks and penetrations – instead of who’s attacking and what they’re after – is a potential trap, warned Michael Wertheimer, director of research and development at the National Security Agency. “Routine doesn’t mean that it isn’t important,” he said, but some attacks are more important than others. In particular, said Wertheimer, “we’re not keeping a close enough eye on that nation-state threat… We have to deploy a Division I team because the adversaries are Division I.”
Implicit in the experts’ testimony, but never quite said outright – at least not in open session; a closed-door session on classified matters followed – was that the best defense might be a good offense. If the goal is to raise the cost of an attack, then it may not be enough to put more barriers in place: The quickest way to raise an adversary’s costs is to attack him back.
That’s a dangerous game for which most U.S. cyber-capabilities are not well-suited – yet. (It’s interesting in this context that a U.S. Cyber Command lawyer recently praised the Stuxnet worm attack on Iran as a model for responsible cyber-attack). Systems designed to gather information on adversaries are not the best tools for hurting them. “We cannot simply scale intelligence-based cyber capabilities and adequately serve the needs of the DoD [Department of Defense],” said DARPA’s Ken Gabriel, in one of the open session’s few mentions of the U.S. taking the offensive. “Features that are vital for intelligence capabilities such as non-attribution and persistence” – i.e. the target can’t tell who’s attacking, and the attacker maintains access to the target network for a long time – “are typically not as critical for DoD capabilities.”
For example, Gabriel said, “a cyber exploit that always causes the target system to crash is not much of an intelligence exploit, [but] it may be exactly the effect that a DoD mission calls for.” In other words, subtlety isn’t always essential: Sometimes you just want to shut the other guy down hard.