Home Nonmilitary action Cyber ​​defense without national level defenders will always fail

Cyber ​​defense without national level defenders will always fail


The 1991 US National Research Council unclassified report “Computers at Risk – Computer Security in the Information Age” clearly states the problem:

We are in danger. More and more, America depends on computers. They control the supply of electricity, communications, aviation and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable – to the effects of poor design and insufficient quality control, to accidents, and perhaps most alarmingly, deliberate attacks.

Three decades later, the sole superpower has become accustomed to being the target of deliberate cyberattacks. Ransomware hit the big cities from Baltimore to Atlanta, local Governments, hospitals, and particularly difficult schools. Even the third-tier powers directly attack the American homeland.

At Christmas 2014, Sony Pictures Entertainment (SPE), the California-based entertainment company employing over 9,000 people, was to release the film. The interview. The plot of the action comedy revolves around the Central Intelligence Agency (CIA) recruiting two incompetent American artists to assassinate Supreme Leader Kim Jong-un in Pyongyang. The Democratic People’s Republic of Korea (DPRK) judges the beheading plot intolerable, terrorism and an act of war and predictably mercilessly threatened reprisals. But this time, the backward and isolated state found a way to project power into the United States.

Cyber ​​attackers then stole terabytes of data, erased and rendered inoperable thousands of SPE computers in the US, UK and elsewhere. SPE did not comply with the hackers’ demands and continued with plans to publish The interview. Next, the cyber attackers released SPE’s internal emails, payrolls and business plans, along with four never-before-seen films. As you might expect, the Western media rejoiced on the gossip doxed from SPE emails. The authors threatened to publish confidential data and personally threatened 3,800 US PES employees. While SPE had yet to decide the film’s fate, on December 16, North Korean cyberattackers threatened physical attacks on American cinemas showing the film; AMC Theaters and most major theater owners quickly declined to screen the film. Now Sony has decided not to release the film, effectively giving in to North Korea. Despite President Barack Obama speakerDPRK publicly downgrades dissuaded United States.

Iran, as North Koreais openly hostile to the United States while lacking the ability to project economic or military power within the United States. Iranlike North Korea, demonstrated efficient use cyber Power. For example, a US Department of Justice (DoJ) Indictment released on March 23, 2018, describes how several Iranians organized the Mabna Institute in Tehran to target more than 100,000 professors at 320 universities, including 144 in the United States and 176 in twenty-one other countries. The small team had achieved global reach using known tactics, techniques and procedures (TTPs), such as Phishing and password spray, without performing significant R&D. The Iranians then used the thousands of credentials (including 3,768 accounts at American universities) stolen to obtain $3 billion worth of Western intellectual property. The perpetrators aided the Iranian national effort on behalf of the Islamic Revolutionary Guard Corps (IRGC) and profited from the sale of the stolen data and credentials. Further away, Iran and North Korea to have leveraged ransomware to hit the American country.

What do these attacks and the more recent wave of ransomware have in common? A foreign adversary planning a destructive attack on America’s heartland faces domestic-grade defenders on land, sea, and air. A foreign adversary launching a direct cyber attack on a non-military target will encounter none.

Why has this lack of state-level defense become the norm? Lack of abilities cannot be the reason. After all, the United States has unrivaled intelligence and military forces, global operational experience, great outreach, and large budgets. Moreover, Americans own cyberspace with an excellent innovation system and an elaborate industrial base. Current logic asserts (rightly) that a military approach is not suitable for defending civilian targets against cyber threats. However, the defense and military establishment can abuse it to escape the burden of change. A recent report from the Congressional Research Service “Introduction to Defense: Operations in Cyberspacesuccinctly describes the federal cybersecurity organization. The primary advocate, the Department of Defense (DoD), will only assist the nation in the event of a cyber emergency. Put simply, it’s only after things get really tough that the fighters will take over and lead America to victory. The DoD shouldn’t be bothered with the boring day-to-day security of movie studios or hospitals. The flaw in the logic is that even if the DoD succeeds, it will be too late.

Pervasive insecurity is the result of poor adaptation of strategic defense in times of peace. Thus, national cyberpower debates must refocus on a non-technical question: how to stimulate and guide effective change in defense missions, strategies, doctrines, forces and organizations. This challenge is not new.

Contrary to witticisms, serious research attests that states and militaries are preparing for future wars. Maladaptation rarely manifests itself by denying that reality is changing. The military are big bureaucracies and, like Harvard professor Stephen Peter Rosen wrote, “almost everything we know in theory about large bureaucracies not only suggests that they are difficult to change, but that they are designed not to change.” The adaptation of strategic defense in peacetime usually fails because defense organizations are unwilling, unwilling, or unable to really change their ways.

For more than six decades, social scientists have established military adaptation Scholarship. Although an overview is beyond the scope of this article, I offer only a sampling of studies addressing the lingering issues that now plague cybersecurity.

Azar Gat studied the mechanized warfare theories in the air and on the ground, demonstrating that technology alone does not drive innovation or its course. Frederic A. Bergerson’s Groundbreaking Political Science Study Explain the revival of U.S. Army Aviation 1942–1970: A few militant reformers who opposed the policy but worked to change it from within the military organization generated a crucial defense adaptation. Finally, Rosen identified that military innovation stems from new avenues of promotion for young officers.

Theoretical stagnation is the root cause hampering America’s cyber insecurity. None of the branches of defense accepts a new and challenging mission: to defend the homeland against foreign cyberattacks. Moreover, radical innovation in cyber defense will not emerge on its own. Instead, academics and policymakers should leverage the defense innovation scholarship to ensure adequate security.

Lior Tabansky, Ph.D., is Research Development Manager at the Blavatnik Center for Interdisciplinary Cybersecurity Research, Tel Aviv University (TAU).

Picture: Flickr.