51 of 55 people found the following review helpful
Lack of operational security experience undermines argument,
This review is from: Cyberdeterrence and Cyberwar (Paperback)
As background, I am a former Air Force captain who led the intrusion detection operation in the AFCERT before applying those same skills to private industry, the government, and other sectors. I am currently responsible for detection and response at a Fortune 5 company and I train others with hands-on labs as a Black Hat instructor. I also earned a master's degree in public policy from Harvard after graduating from the Air Force Academy.
Martin Libicki's Cyberdeterrence and Cyberwar (CAC) is a weighty discussion of the policy considerations of digital defense and attack. He is clearly conversant in non-cyber national security history and policy, and that knowledge is likely to benefit readers unfamiliar with Cold War era concepts. Unfortunately, Libicki's lack of operational security experience undermines his argument and conclusions. The danger for Air Force leaders and those interested in policy is that they will not recognize that, in many cases, Libicki does not understand what he is discussing. I will apply lessons from direct experience with digital security to argue that Libicki's framing of the "cyberdeterrence" problem is misguided at best and dangerous at worst.
Libicki's argument suffers five key flaws. First, in the Summary Libicki states "cyberattacks are possible only because systems have flaws" (p xiii). He continues with "there is, in the end, no forced entry in cyberspace... It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to the extent they want to be. In no other domain of warfare can such a statement be made" (p. xiv). I suppose, then, that there is "no forced entry" when a soldier destroys a door with a rocket, because the owners of the building are vulnerable "to the extent they want to be"? Are aircraft carriers similarly vulnerable to hypersonic cruise missiles because "they want to be"? How about the human body vs bullets?
Second, Libicki's fatal understanding of digital vulnerability is compounded by his ignorance of the role of vendors and service providers in the security equation. Asset owners can do everything in their power to defend their resources, but if an application or implementation has a flaw it's likely only the vendor or service provider who can fix it. Libicki frequently refers to sys admins as if they have mystical powers to completely understand and protect their environments. In reality, sys admins are generally concerned about availability alone, since they are often outsourced to the lowest bidder and contract-focused, or understaffed to do anything more than keep the lights on.
Third, this "blame the victim" mentality is compounded by the completely misguided notions that defense is easy and recovery from intrusion is simple. On p 144 he says "much of what militaries can do to minimize damage from a cyberattack can be done in days or weeks and with few resources." On p 134 he says that, following cyberattack, "systems can be set straight painlessly." Libicki has clearly never worked in a security or IT shop at any level. He also doesn't appreciate how much the military relies on civilian infrastructure from everything to logistics to basic needs like electricity. For example, on p 160 he says "Militaries generally do not have customers; thus, their systems have little need to be connected to the public to accomplish core functions (even if external connections are important in ways not always appreciated)." That is plainly wrong when one realizes that "the public" includes contractors who design, build, and run key military capabilities.
Fourth, he makes a false distinction between "core" and "peripheral" systems, with the former controlled by users and the later by sys admins. He says "it is hard to compromise the core in the same precise way twice, but the periphery is always at risk" (p 20). Libicki is apparently unaware that one core Internet resource, BGP, is basically at constant risk of complete disruption. Other core resources, DNS and SSL, have been incredibly abused during the last few years. All of these are known problems that are repeatedly exploited, despite knowledge of their weaknesses. Furthermore, Libicki doesn't realize that so-called critical systems are often more fragile that user systems. In the real world, critical systems often lack change management windows, or are heavily regulated, or are simply old and not well maintained. What's easier to reconfigure, patch, or replace, a "core" system that absolutely cannot be disrupted "for business needs," or a "peripheral" system that belongs to a desk worker?
Fifth, in addition to not understanding defense, Libicki doesn't understand offense. He has no idea how intruders think or the skills they bring to the arena. On pp 35-6 he says "If sufficient expenditures are made and pains are taken to secure critical networks (e.g., making it impossible to alter operating parameters of electric distribution networks from the outside), not even the most clever hacker could break into such a system. Such a development is not impossible." Yes, it is impossible. Thirty years of computer security history have shown it to be impossible. One reason why he doesn't understand intruders appears on p 47 where he says "private hackers are more likely to use techniques that have been circulating throughout the hacker community. While it is not impossible that they have managed to generate a novel exploit to take advantage of a hitherto unknown vulnerability, they are unlikely to have more than one." This baffling statement shows Libicki doesn't appreciate the skill set of the underground.
Libicki concludes on pp xiv and xix-xx "Operational cyberwar has an important niche role, but only that... The United States and, by extension, the U.S. Air Force, should not make strategic cyberwar a priority investment area... cyberdefense remains the Air Force's most important activity within cyberspace." He also claims it is not possible to "disarm" cyberwarriors, e.g., on p 119 "one objective that cyberwar cannot have is to disarm, much less destroy, the enemy. In the absence of physical combat, cyberwar cannot lead to the occupation of territory." This focus on defense and avoiding offense is dangerous. It may not be possible to disable a country's potential for cyberwar, but an adversary can certainly target, disrupt, and even destroy cyberwarriors. Elite cyberwarriors could be likened to nuclear scientists in this respect; take out the scientists and the whole program suffers.
Furthermore, by avoiding offense, Libicki makes a critical mistake: if cyberwar has only a "niche role," how is a state supposed to protect itself from cyberwar? In Libicki's world, defense is cheap and easy. In the real world, the best defense is 1) informed by offense, and 2) coordinated with offensive actions to target and disrupt adversary offensive activity. Libicki also focuses far too much on cyberwar in isolation, while real-world cyberwar has historically accompanied kinetic actions.
Of course, like any good consultant, Libicki leaves himself an out on p 177 by stating "cyberweapons come relatively cheap. Because a devastating cyberattack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive (especially if the Air Force can leverage investments in CNE), an offensive cyberwar capability is worth developing." The danger of this misguided tract is that policy makers will be swayed by Libicki's misinformed assumptions, arguments, and conclusions, and believe that defense alone is a sufficient focus for 21st century digital security. In reality, a kinetically weaker opponent can leverage a cyber attack to weaken a kinetically superior yet net-centric adversary. History shows, in all theatres, that defense does not win wars, and that the best defense is a good offense.
Tracked by 1 customer
Sort: Oldest first | Newest first
Showing 1-8 of 8 posts in this discussion
Initial post: Nov 26, 2009 7:35:25 AM PST
Last edited by the author on Nov 26, 2009 12:04:11 PM PST
F. Hare says:
In reply to an earlier post on Nov 26, 2009 7:37:22 AM PST
Richard Bejtlich says:
I take it you do not have any experience with computer security, like Mr Libicki?
In reply to an earlier post on Nov 26, 2009 12:04:41 PM PST
F. Hare says:
Good point. I updated my post accordingly.
In reply to an earlier post on Nov 28, 2009 3:10:15 PM PST
W. R. Frank says:
I would agree with your last sentence. Your inability to see the reviewer's point is due to your lack of computer security skills.
Posted on Nov 30, 2009 6:31:26 AM PST
Last edited by the author on Nov 30, 2009 6:31:48 AM PST
Richard Bejtlich says:
Re my line "Fourth, he makes a false distinction between "core" and "peripheral" systems, with the former controlled by users and the later by sys admins."
Thanks to GS for pointing out that I should have said:
"Fourth, he makes a false distinction between "core" and "peripheral" systems, with the former controlled by sys admins and the latter by users."
Posted on Dec 3, 2009 10:09:23 AM PST
Retired Reader says:
This is an extremely will developed review that provides a sound basis for rejecting this book. Though as a rule I don't think reviewers should include their own background data, in this case it is completely relevant and gives great credibilty to the review. Well Done!
Posted on Nov 30, 2010 4:16:18 AM PST
Last edited by the author on Nov 30, 2010 9:26:32 AM PST
Vance Christiaanse says:
Richard Bejtlich's review, as its title tells us, is not focused on the main ideas of the book but on minor points. The book is about policy but the review lists five "key flaws" in the author's "operational security experience". I would like to respectfully suggest that perhaps Richard Bejtlich's extensive operational security experience was a liability for him rather than an aid as he read this book.
According to Richard Bejtlich, Martin Libicki's claim that there is "no forced entry in cyberspace" is key flaw #1 in his book. It's easy to imagine how years of experience in server rooms could make Bejtlich imagine there was such a thing as "force" in the cyber realm. What sys admin hasn't wished he could "force" a server to continue running, even as it follows the inexorable logic of its own instructions to a crash? But no such "force" is possible, no matter how much Bejtlich might wish it was.
To expand on the door metaphor in Bejtlich's review: a cyber attacker when confronted with a metaphoric "door" may simply open the door if we failed to lock it. He may pick the lock, using the laws of physics and taking advantage of weaknesses or mistakes in the design. He may steal or forge a key. He may replace the original door with a different one that opens for him. He may go through the door repeatedly, denying us access. But what would it mean in this metaphor to "force" the door? The applicability of Bejtlich's other metaphors to cyber-war is even less clear. It's interesting that Bejtlich defends his point when challenged by F. Hare in these comments by raising the issue of Hare's and Libicki's security experience rather than by giving any actual example of "forced entry".
Regarding key flaw #2, attribution of "mystical powers" to sys admins, Libicki writes the opposite on page 19: "Furthermore, individual system administrators almost never have direct visibility into packaged software and cannot fix vulnerabilities of which the software vendor is itself unaware." It's possible Libicki sometimes uses the specific term "sys admins" when he means a somewhat larger group that includes "sys admins" but it's hardly a "key flaw" in the book.
Regarding key flaw #3, the claim that defense is easy: Bejtlich himself admits that sys admins currently lack the resources they need to do their jobs and Libicki is advocating an increased emphasis on cyber defense--which would include more resources for sys admins. Here again, Bejtlich's familiarity with the past has made it difficult for him to imagine the future Libicki is advocating. Aside: Bejtlich quotes from page 160 of the book but overlooks the word "core" when he attempts to rebut it.
Bejtlich disagrees with Libicki about cyber offense (flaw 5) but that may be because they are using different definitions. For Bejtlich, cyber offense means killing people who develop software. In Libicki's book, cyber war occurs in cyberspace.
I get the message that Bejtlich disagrees with Libicki's conclusions. Perhaps he can be induced to write a second review where he addresses Libicki's logic rather than minor points.
In reply to an earlier post on Nov 3, 2012 4:06:58 AM PDT
Curtis T. Switzer says:
Richard what is a book on Cyber Security that you would recommend.
‹ Previous 1 Next ›