Cyberwarfare and History

I am personally fascinated with Cyberwarfare, not only from a professional point of view but an academic one. The influence of technology on warfare has always fascinated me. In fact, Military History was my major in college (I was especially fascinated with the 1600-1800’s). Then, after I got my degree in History I spent four years as a tank officer in the US Army’s Rapid Deployment Force. Combined that with my passion for information security (I’ve been doing it for ten years now) and you begin to understand my interest. After reading several excellent blogs and articles on Cyberwarfare I got my creative ideas flowing. There are some fundamental issues here that really concern me.

1. First, I really think the organizations that can adapt most easily to Cybewarfare are intelligence organizations. Cyberwarfare is about information, intelligence is about information. If you want to take out a computer, you have to know things about that computer. If you want to infiltrate networks, you have to know things about the network. If you want to steal or modify data, you have to know things about that data. This is going to be hard for combat arms folks to deal with, for example people who fight on tanks or from jet fighters. Those folks are taught to blow things up as fast as possible and as violently as possible. See target, destroy target. In the cyber world there is often nothing to blow up. In fact, when you have achieved your goal and you have successfully attacked your target, you often don't want the enemy to know it. Also, in combat arms you are trained that their is a definite beginning and definite end, which brings me to my second point.
2. Just like in intelligence, in Cyberwarfare there is no beginning or end, just levels of intensity. We are already fighting a global Cyberwar. Its not officially declared, there are no official sides, but its already happening and will continue to happen. There may be times when conventional warfare is fought along with it, but Cyberwar is here and now. In fact, many people today view Cyberwarfare as supporting conventional war, but I feel in the future it may be the other way around, conventional weapons will be supporting Cyberwarfare.
3. Last, I really think things are going to get messier. There have already been several well written articles about the ‘asymmetric’ approach of Cyberwarfare. How one side can attack and there is nothing for the defender to strike back at. There have also been discussions on how Cyberwarfare is the great equalizer. What value are having 12 aircraft carrier groups when someone with a 128Kbps connection to the Internet can theoretically shut those systems down, or the systems supporting the carrier groups. As I said, I think things are going to get worse. Historically there has been one thing constant in warfare since the dawn of time, mercenaries. Soldiers for hire to the highest bidder. Now a third world country can theoretically take out a first world country, not because they have the weapons or expertise, but simply because they happen to have a big bank account at that time and can hire some talent to do the job. The talent for hire is already out there, the underground cyber/criminal economy. The question is, what nations are now taping into that talent not from crime, but to get the jump ahead in Cyberwarefare. Think about it, what better way to hide your Cyberwarfare/intelligence attacks then make it look like common cyber crime.

Definitely interesting times ahead, times that are going to radically change military history. And you thought the Roman legion, longbow, the Minnie ball, and the airplane radically changed warfare :)

ROSI

The folks at Intel posted a very interesting paper on ROSI (Return on Security Investment). As I mentioned in my blog on metrics, trying to determine your value for your security investment is very difficult. Some may argue its not even possible. What is so interesting with the Intel report is its both easy to read and its based on past implementation. In other words, they talk about what they did. I think this paper is a wonderful start. However, I'm not sure just how effective the method would be. Overall their approach is you measure all the incidents that happened in the past (they used two years of data), estimate the average cost per incident and then total up the total cost. Then implement your security controls and measure how many incidents you have. The delta is your savings. While a very effective starting point, I have several questions I can't figure out.

1. What happens with this method when your new security program mitigates incidents you never detected in the first place? For example, lets say you counted 400 incidents in your organization last year, but there were really 500. When you implemented your new security measures your incidents drop to zero. Your delta is off by 100 incidents. I'm nit picking here, but your security program actually has far greater ROI. The reason I'm concerned about this is because a good security program mitigates threats/vulnerabilities you did not know about.
   
2. However, what I'm even more concerned about is good security includes good detection. Now, what happens if you start with 400 incidents, then implement security controls which includes good detection. Now all of the sudden you are detecting many more incidents you never would have detected before. Even though the total incidents could have gone down, because of your improved detection capabilities management perceives they have gone up.
   

I commend Intel for what appears to be a great start. However, I just can't believe ROSI is as simple as counting incidents and measuring deltas. Just look at TJX, all they have had is just one security incident in the past 3 years (that we know about).

Metrics - The Puzzle

Security metrics is something I'm having a growing interest in, for several reasons. First, its important to be able to justify the return on investment. If you can't demonstrate value of security, why should anyone implement it? Second, being a security professional I would like to know if what I'm doing is having an effect. Is there anything I can be doing different to improve my approach? Continuing my slug fest of attempting to read (and understand) NIST's SP800 series documentation, I was quite surprised to see alot of value in the SP800-80 "Guide for Developing Performance Metrics for Information Security". As with most of the SP800 papers, you have to fight your way through the government speak and academic noise. I really think you can easily cut many of the SP800 papers by at least 50%. For example, in SP800-80 you have to go through 20 pages before you get to the good stuff. However, there are two key things I REALLY liked about NIST's metrics paper.

1. First, they break metrics down into 3 different categories. This is something I never thought of, there are big differences between areas that can be measured. These are identified on page 15 as follows:

• IMPLEMENTATION: This is the one that I see most commonly used, but I feel has the least value. It tracks how much as been done. For example, how many accounts have a unique identity tied to it, how many desktop computers have been configured to a security standard, or how many end users have received security awareness training.
  
• EFFECTIVENESS: Now this is where the rubber meets the road and things get harder. How do you demonstrate the effectiveness of your security? This is what interests me the most also, what can I do to improve?
  
• IMPACT: For a NIST document, I was impressed to see this metric definition. It is the attempt to measure the impact to your business, your ROI. As discussed on various other blogs and publications, this is easily the hardest thing to measure. In fact, it is often argued if security can even be considered ROI, or is it simply loss prevention.
  

2. The second thing I liked were the examples in the appendix. If SP800-80 only broke down metrics into three categories, I would not have been overly impressed. Where the magic happens is they have examples of these metrics in the 18 different control domains identified in SP800-55 (IS0 27001/AnnexA has 11 such control domains). In addition, what I found very helpful was each security domain not only has metrics, but the overall strategic goal and information security goal of the controls.

All in all, I found this to be one of the most helpful SP800 documents I have read so far for ISMS approach. Even though its FISMA specific (as all SP800 documents are) it can apply to other models as well. However, if you are short on time I suggest skipping all the noise and going straight to the appendix on page 22 where the examples are. That is the true value of this document.