White Paper for a Strategic Cyber Defense Concept:
Deterrence Through Attacker Identification
Abstract: Strategic Cyber Defense is a complex and broad-ranging concept. Yet, despite this complexity, we can make some progress in developing our understanding by focusing on a few key elements of any good defensive strategy. This paper will specifically focus on the long-recognized value of deterrence, through threat of retaliation, as an effective means of defense. The means for enabling deterrence in the cyber realm will be introduced.
Deterrence is a fundamental element of defensive strategy. However, for deterrence to be effective, potential antagonists must be convinced that they will be identified, and punished swiftly and severely. This is the essence of the three key causal variables of General Deterrence Theory: Certainty, Severity, and Celerity. Unfortunately, while the methods for identifying perpetrators of crimes in the law enforcement context, and attackers in the military context, are well-developed, similar capabilities do not currently exist for the networked cyber realm. Thus, while deterrence is recognized as a highly effective defensive strategy, its applicability to defense against attacks on our nationís information infrastructures has not been clear, mainly due to the inability to link attackers with attacks.
A conceptual tool that can help to visualize and understand the problem is to think of a thread, or sequence, of steps (with requisite technologies) necessary to effect a deterrent capability. As with the "weak link" and "picket fence" analogies, if any one of these steps is missing or ineffective, the ability to achieve the desired result is compromised. The figure below depicts such a thread in its simplest form.
Looking at this thread, we can see that current intrusion detection technology is focused primarily on the first element in the sequence above. Any "response" is generally limited to logging, reporting, and isolating or reconfiguring. What is missing is the ability to accurately identify and locate attackers, and develop the evidentiary support for military, legal, or other responses selected by decision-makers. While defensive techniques are important, it's critical not to "stovepipe" in such a way that we can't effectively link with the offensive component of an overall Strategic Cyber Defense.
In addition to detecting the attacks, perhaps we should also be developing a "forensic," or identification capability, to pass the necessary "targeting" information on to the offensive components of the force, regardless of whether the response is through physical or cyber means. Such a capability is critical if our cyber defenses are to transcend beyond a merely reactive posture to one in which both offensive and defensive techniques can be effectively applied in tandem. This is in line with the established principles of war, which suggest that an offensive (and therefore deterrent) spirit must be inherent in the conduct of all defensive operations. Forensics could help to provide the bridge between the defensive and offensive elements of an overall cyber defense strategy. Accurate and timely forensic techniques would also enable the effective use of the three elements of deterrence. Otherwise, attackers can act with impunity, feeling confident that they need not fear the consequences of their actions.
Forensics is a promising area of research which could help to provide the identification and evidence necessary to support an offensive response against attacks on our information infrastructure, regardless of whether that response is executed through physical, IW, or other means. Although forensic techniques are highly developed for investigations in the physical realm, and are being developed for application to computer crime, what is needed is an analogous capability for real-time, distributed, network-based forensic analysis in the cyber realm. It would seem appropriate to incorporate the collection of forensic data with the intrusion detection and response types of technologies currently being developed. Critical supporting technologies include those needed for correlation and fusion of evidence data, as well as automated damage assessment.
The importance of solid identification and evidence linking an attacker with an attack will be critical in the increasing complexity of the networked information environment. Cyber attacks against the United States and its allies may not have the obvious visual cues and physical impact typically associated with attacks in the physical realm. In these cases, the available courses of action will be heavily influenced by various political, legal, economic, and other factors. Depending on the situation, it may be necessary to have irrefutable proof of the source of the attack, the kind of proof typically developed through forensic types of methods.
The RAND Corporation has recommended to DARPA some approaches which are both similar and complementary to that suggested in this paper, based on the results of its "Day After in Cyberspace" exercise. One suggested concept is for a "cyberspace hot pursuit" capability, to aid in the back-tracing of incidents to discover perpetrators. They also point out that use of such a capability implies the need for laws specifying authorization to conduct cyberspace pursuits, and cooperative agreements with foreign governments and organizations. A second suggestion is for the development of a tamper-proof, aircraft-like "black box" recording device to ensure that when an incident occurs and is not detected in real time, the trail back to the perpetrator does not become lost.
Extending the aircraft analogy further, the need for effective identification during cyberspace pursuits, and for coordinating offensive IW response actions through intermediary "friendly" networks, may necessitate a type of "network IFF" capability, just as the introduction of fast-moving aircraft in the physical realm necessitated the need for secure Identification Friend or Foe. Although the need for IFF has traditionally been a concern at the tactical level of warfare, the failure to effectively deal with such issues could certainly have strategic implications.
One issue of concern at the strategic level of information warfare is the distinction between the military and private sector information infrastructures. It is clearly not feasible to require the private sector to secure its systems to the level required for military networks. The approach suggested in this paper may be applicable regardless of whether the networks attacked belong to the military. For example, in the physical realm today, if a civilian target is struck, the FBI and other Federal agencies are called in to assist and investigate the incident, and when the identity of the attackers is determined, appropriate legal, political, or military actions are taken in response. From an organizational perspective, efforts are under way to develop the necessary coordination structures, such as the National Infrastructure Protection Center, between the private and commercial sectors. From a technical perspective, major elements of the commercial infrastructure could participate in a national-level monitoring system, while private entities could maintain their own in-house capabilities with the ability to provide necessary data to national authorities following an incident just as would be the case with the FBI being called in to investigate a crime.
Another fundamental concern the suggested approach may help to address is the problem of malicious "insiders." The security paradigm of enclaves separated by boundary controllers is most effective against attacks from the outside. Attacks initiated from within the enclave, possibly even by a "trusted" insider, have traditionally been much harder to defend against. Cyber forensics techniques may provide the type of capability needed to deal with this problem, which simply cannot be addressed by traditional security techniques based on privileges. These systems simply check whether a user is acting within the prescribed privileges, while remaining in complete oblivion regarding the abuse of these privileges.
This paper discussed a deterrence-based approach as an element of an overall cyber defense strategy. The need for timely and unequivocal identification of attackers is essential for such an approach to be effective. Unfortunately, the technical basis for such identification has not received much attention to date from the research and development community. In addition, there may be some complicating factors for the implementation of the type of identification and forensics capability discussed in this paper, such as the widespread move to encryption. However, until research and development resources are committed to investigation of the relevant issues, the extent of the challenge cannot be fully understood.