As a long-term strategy for countering Cyber-Terrorism, we propose the "Two in Reserve" policy. This policy retains in reserve the two strongest defenses developed in each security area to be deployed only in a cyber-emergency to counter a otherwise unstoppable attack.
The rationale behind this policy is based on the theory of genetic mutation -- that deployment of a defense induces mutations in the population of active probes and attacks that accelerate the emergence of probes and attacks which are resistant to the deployed defense.
This population mutation occurs because the deployed defenses are in fact effective against certain classes of attacks. They render these attacks useless, and as those launching the attacks recognize this fact, they cease employing this particular weapon and it disappears from the population of active probes and attacks.
This "natural selection" removal of these now ineffective attacks from the attack arsenal shifts the makeup of the remainder towards those that circumvent (i.e. resist) the newly deployed defense. Moreover, the population (i.e. instances) of these resistant strains increases as their effectiveness becomes recognized.
This population shift doesn’t occur until the environment is altered by the deployment of a defense that modifies the survivability of the attack population.
By holding defenses in reserve, the defenders get to choose when to deploy them and maximize their effectiveness at that chosen time. A "natural selection" population shift will subsequently ensue, but it will take time -- even in cyber-space -- and that time will enable the defenders to regroup before the next wave.
During a cyber emergency, the ability to halt the attack thrust and buy time represents a major strategic advantage.
We suggest holding the two strongest defenses in each security area in reserve because no defense is effective against all attacks and the cupboard should never be completely bare.
However, for this policy to be effective two conditions must exist:
The first condition requires a national commitment to build and maintain an inventory of "in-reserve" defenses. Once this inventory has been built up, the rate of non-emergency deployment of defenses will be governed by the rate that new ones are created. Before being deployed, each newly developed defense will be compared with the two in-reserve defenses for that security area. If it is stronger than the weakest of the two it will replace that one in the in-reserve inventory and the replaced defense will be available for open deployment instead of the newly developed one.
Also implied by this first condition is the ability to determine whether one defense is stronger than another. This could theoretically be done by analysis but probably requires live testing of the defenses against a variety of known attacks and hypothesized future attacks. To do so, we would need to have a laboratory established in which such testing could be safely and realistically performed. Safety requires that the results of the testing, including the existence of the tested defenses be fully contained within the laboratory. Realism requires a red-team within the laboratory to launch the attacks, and an inventory of unknown hypothesized attacks to test the strength of the defense against unprecedented future attacks.
Finally, the "ready for deployment" part of first condition requires that the defenses in the in-reserve inventory be fully tested (again requiring a well-stocked isolated laboratory), and highly configurable to fit into the wide variety of systems into which it will eventually be deployed.
The "effective and timely deployment" condition requires the pre-emergency distribution of the defenses so that the cyber emergency itself can not compromise the distribution portion of the rapid deployment. However, the safety and integrity of those pre-distributed copies can't be guaranteed unless they are encrypted. Copies of the In-Reserve defenses would thus be pre-positioned and ready for use, but their actual deployment would be controlled by policy makers through the distribution of the decryption keys that unlock these In-Reserve defenses. Moreover, this encryption would also protect the secrecy of these defenses while they were awaiting emergency deployment.
During an emergency the keys could be distributed electronically or by voice phone calls. The keys could be defense and site specific so that compromised keys limited the set of vulnerable pre-distributed copies.
The keys could also be time limited so that the defense was automatically deactivated after a specified time period so that adversaries wouldn't be able to probe it after the attack had ended.Source:www.isi.edu