Communications - October 2011

key length is sufficiently long, it is not feasible to test each and every key. In practice, the strength of a system needs only to be commensurate with the risk and consequence of breakage.” 15

Those who believe “data at rest is data at risk” envision the additional security option of breaking encrypted data into pieces and sending them out into “the cloud,” or into cyberspace beyond one’s own system, ready to be called back and reassembled at a keystroke. Strong crypto and the cloud are gaining attention, but the firewall-based model remains dominant, especially with military- and national-secu-rity-related information systems.

Thus the fear of a crippling “bolt from the blue” cyberattack is great, and the U.S. military’s frenetic efforts to cope with such a possibility have sparked a return in some military circles to the classic question of whether offense or defense is “dominant.” In every period of major technological change there has been sharp debate about the properties of the new tools of war, and the conclusions drawn have quite often been wrong. 29 For example, before World War I, most Western generals believed machine guns and high-explosive artillery would favor the offense. They were tragically wrong. Some millions of soldiers marched shoulder to shoulder to slaughter in that war. 35

A generation later, at the outset of World War II, the prevailing belief, except within small circles of military mavericks, was that defense was dominant. This mind-set led to such initiatives as the massive investment in the French Maginot Line. Wrong again. Aided by mechanization, the Germans simply went around the wall and scored one of history’s signal military victories in the spring of 1940. It seems that figuring out the state of the offense-defense balance, in light of the latest technological changes, has generally proved quite difficult. Today is no exception.

security system, attack tool
Assessing the balance of power in
battle is just as difficult to parse in
the virtual realm as it has been in the
physical realm. To date, the school of
thought associated with notions of of-
fense dominance in cyberwar has been
ascendant, feeding the frenzy to craft
defenses. 12 But articulate dissenters
have also been heard from, in particu-
lar the RAND Corporation’s Martin
Libicki, who believes it will be diffi-
cult for cyberspace-based offensives to
achieve strategic effects. As he sees it,
cyberwarfare “is still largely theoreti-
cal. People have seen the detritus left
behind by small-scale hacker attacks,
but no one has ever seen it work at the
scale often claimed for it.” 23

This discussion—from Libicki’s analysis to the Stuxnet example— suggests the offense-defense balance in this era may be characterized by an action-reaction cycle in which one or the other mode of war becomes temporarily ascendant. It may be much like technical and tactical developments in traditional military affairs, often favoring the attacker or defender when introduced, but which are eventually countered. For example, the World War II German U-boat wolf-pack offensive was ultimately defeated by a mix of skillful codebreaking and improved direction-finding equipment, unmasking the attackers’ positions and giving the edge to the defense.

Likewise, viruses, worms, and new forms of “semantic attack” on information systems will likely be subject to technical countermeasures that will diminish, if not dispel, the threats they pose, particularly if firewall-oriented “Maginot Line mind-sets” give way to greater emphasis on strong cryptography and data being moved around much more, not just deposited for long periods in fixed locations.

Recent cyberwars

In April and May 2007 a series of widespread cyberattacks was mounted anonymously against Estonia, sparked by removal of a World War II monument to Soviet soldiery ( commemorating the Russian military campaign and its casualties suffered driving the Nazis from the country) from a prominent place in the capital, Tallinn. Outrage among Russians at this action was followed by massive cyberattacks thought to have been perpetrated, or at the least encouraged, by Russian leaders against the Estonian government and civil society. Huge disruptions ensued for a short period, with the attackers using simple tools in distributed denial-of-service attacks. 8 It was a clear example of the “ strategic attack paradigm”; a scaled-up version of this sort of campaign launched against, say, the U.S. or other developed country would have inflicted enormous economic losses.

In August 2008 the Russian military launched an invasion of the trans-Caucasian Republic of Georgia, a U.S. ally whose security forces had been nurtured, trained, and equipped along