PSC 1003; Lecture 18
PSC 1003; Lecture 18 PSC 1003
Popular in Introduction to International Politics
Popular in Political Science
This 5 page Class Notes was uploaded by Eleanor Parry on Friday February 12, 2016. The Class Notes belongs to PSC 1003 at George Washington University taught by Farrell, H in Fall 2015. Since its upload, it has received 29 views. For similar materials see Introduction to International Politics in Political Science at George Washington University.
Reviews for PSC 1003; Lecture 18
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/12/16
Cybersecurity Outline • Cyber applications of traditional security ideas ◦ Trying to deter in cyberspace ◦ Figuring out the Offense-Defense Balance ◦ Can offense and defense be distinguished Attack and Defending in Cyberspace • Key assets - computer systems. ◦ Can hold crucial information. ◦ Can also control physical infrastructure, defense or weapon systems. • Attacks ◦ Hacking ◦ Viruses ◦ Trojans ◦ Social Engineering • Defense ◦ Firewalls ◦ Diagnostics ◦ "Air gaps" Deterring Actions in Cyberspace • What are the conditions you need in order to be able to deter? ◦ 1) Clear Mutual Understanding ◦ 2) Ability to identify attacks ◦ 3) Ability to identify attackers ◦ 4) Ability to make credible threats to retaliate Creating Clear Mutual Understanding • Key problem of Cold War after Cuban Missile Crisis. ◦ Creation oiliness of communication and rough common understanding. ◦ Darrel on norms as source of common understanding. • How to create in cyberspace? • Complex Problem, given lack of agreement/understanding over what the rules should be. ◦ Lack of immediate crisis to provide urgency. Some of the Problems • What actually constitutes a cyber attack? • What kind of retaliation are appropriate? ◦ Cyber v cyber? Sanctions? Use of kinetic weapons? • What are appropriate targets? ◦ Military targets? Economic targets? Civilian targets? Ability to identify attacks • Necessary to be able to identify attacks to deter them. • Usually straightforward in conventional military operations. • But may not be in cyber attacks. ◦ Spying may never be discovered. ◦ Systems can be degraded in subtle ways. • How can these kinds of attacks be dealt with? Ability to make credible threats to retaliate • If threat to retaliate is non-credible, then deterrence is impossible. • Need to have ability to project force • Also need declaratory policy so that adversaries have some reason to believe that retaliation will happen. • Should cyberdeterrence rest on cyber weapons alone? Deterrence by Denial • Insight behind deterrence by denial - that higher defenses lower the odds of success, hence having a deterrent impact. • But there are limits to logic • IF the expected costs of attack are low, an attacker may go ahead, even if the odds of success are not that great. • Also depends on quality of defense. Offense-Defense Balance • What is the offense-defense balance in cybersecurity • Many argue that cybersecurity favors offense over defense ◦ Defenses are inherently patchy and uncertain. ◦ Much of the key infrastructure is poorly protected. ◦ Attack capabilities are relatively very cheap. Offense Defense Distinguishability • How easily is it to distinguish offense from defense? • Sometimes, they can be distinguished - firewalls etc have no obvious offensive purposes. • But many aspects of cybersecurity are not so distinguishable. ◦ White hat hackers and black hat hackers. ◦ Red Team exercises. Not distinguishable & Offense Dominant Expansion is easy, War is frequent Implications • Confrontation and spiraling distrust are very likely. • Deterrence is very nearly impossible. • hard to distinguish friends from foes. • Nearly impossible to build arms control style treaties that states will actually abide by Results • Traditional forms of security analysis were developed in a different era. ◦ May get important aspects wrong - or leave out key factors. • Identify key challenges for cybersecurity. • Help explain pessimism of man national security analyses. Cybersecurity Policy Dilemmas of Cyberdefence • Security officials face fundamental dilemmas when thinking about defense • 3 options ◦ Deterrence ◦ Defense ◦ Deterrence by denial Practicalities of Deterrence • Deterrence is hard to implement for the practical reasons discusses last class. • Libicki ◦ Do we know who did it? ◦ Can we hold their assets at risk? ◦ Can we do so repeatedly? • All three needed for deterrence to work well. Practical efforts to retaliate • US olympic games attack on Iranian nuclear program • Led to possible response from Iran - suspected culprit behind compromising of thousands of Armco computers The Problem of Defense • Computer security has a number of tools aimed at preventing hostile incursions as discussed last class. ◦ Firewalls ◦ Network monitoring ◦ Air gaps ◦ Crypto plus permissions • None of these really address major defense challenges The internet is not designed for security Us defense Policy • Starts from presuppositions identified o ntuesday • Cyberwarfare is asymmetric • Cold war style deterrence doesn't work in cyberspace • Offense is dominant over defense Implications for Policy • Little reliance on standard deterrence. ◦ Weak guidance as to how the US would respond/retaliate to attack (preserving flexibility over making credible threats). ◦ Rules of engagement set in advance - but not announced or even really hinted at. ◦ Speaking softly... but carrying a big stick. Deterrence by Denial • Some role of deterring people from attacking through strong defenses. ◦ Emphasis on power and sophistication of US defensive capacity. ◦ Multilayered approach - lots of money- trained personnel. ◦ Contrast to nearly complete lack of discussion of retaliatory capacity. Active Defense • Seeks to mitigate risks of insecure internet. ◦ Monitoring and testing of imported technology. ◦ Active computer hygiene, air-walls and fire gaps. ◦ Strong protections for .mil domain. ◦ Cyber range for modeling attacks and red team exercises. ◦ Centralized authority for traditional defense. ◦ But weaker protection for .gov and very little indeed for .com Solving problems in longer term • Creating better defensive solutions is hard in short term. • But could conditions be shifted over longer run to make defense easier ◦ Defensive v offensive • Some efforts underway to do just that. Solving Attribution through Technology • Deterrence might be much easier if attribution problem was resolved. • Efforts at DARPA and elsewhere to deal with problem through better tracking of attacks. • But has limitations. ◦ Can one publicly visible and generally accepted forms of attribution? ◦ If so, does on provide info that allow malefactors Building Norms • Norms can serve as basis of mutual understanding, are deterrence more plausible in long run. ◦ Key focus of policy. • But hard to achieve given lack of agreement. ◦ Stark disagreements within US and west. ◦ Stark disagreement between US and adversaries such as china and Russia. Olympic Games (Stuxnet) • Sought to delay Iranian Nuclear program. • Attacked uranium refinement cycle. ◦ Requires thousands of centrifuges • Spyware mapped out controllers and provided information to NSA • Allowed creation of map of how system worked. • In turn, allowed design of specific tool (Stuxnet) to attack Iranian centrifuges. Possible Alternative • Argues that Olympic Games shows weaknesses in dominant understanding of cybersecurity. • Claims that cyberwarfare is not asymmetric ◦ Reinforces the power of those who are already militarily and economically strong. ◦ Stuxnet part of expensive program ◦ Went together with US/Israeli military power. Offensive Dominant - alternative view • Suggests stuxnet shows offense power of cyberwarfare is limited. ◦ Weapon was not especially effective because of need to preserve secrecy. ◦ Hard to design tailored attacks against heterogenous targets. ◦ Hence, not clear that cybersecurity favors offense over defense Deterrence • Stuxnet limited according to lindsay because of fear of retaliation or blowback. • Attribution problem not a big deal. • Uncertainty of impact may itself have deterrent consequences. • But is it generalizable?
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'