Strategic Cyber Security

“Strategic Cyber Security” (which is available for download) is a book that states from the very beginning that computer security has evolved from a technical discipline to a strategic concept. To this end the author tries to examine four strategic choices: IPv6, Sun Tzu‘s “Art of War“, Cyber Attack Deterrence and Cyber Arms Control. The book is written for those people who read executive summaries. As such it can be seen as a long (very long) executive summary that often repeats itself. I cannot count the times Eligible Receiver is mentioned in the book, but it is now imprinted in my brain.

There is no technical coverage of IPv6 in the book. As such, discussion of IPv6 is limited to the vast address space that it offers which will give the opportunity to eliminate NAT, thus having better attribution capabilities on unauthorized connections. It also shows big faith on IPSec deployment as a means of stopping cyber attacks. The concerns about privacy invasion with the deployment of IPv6 are also mentioned, but not specifically. In fact most such concerns can easily be debunked by now. As a purely technical solution, I feel that IPv6 does not mix well with the three other choices that are examined in the book, given the fact (that the author also notes) that IPv4 will be with us for a long (very long) period of time.

I had thought of drawing parallels between the “Art of War” and cyber security a number of times, the last being when von Clausewitz was mentioned in Daily Dave. Ten specific points are discussed which do not fit to the cyber domain.

Thanks to the book I got to learn a few things about Deterrence Theory. Deterrence is based on two axis: Denial and Punishment. Denial means that those who control the strategic technology will deny you access to it, while punishment means that should you develop said strategic advantage countermeasures for other strategic players will be enforced.

The final choice discussed in the book, is the examination of whether a Cyber Arms Treaty can have some positive results (It so happens that there’s a wikileak relevant to the matter. If others exist, a more systematic treatment of these should take place). To examine the possible success or failure of such an agreement, the highly successful Chemical Weapons Convention is used. From the comparison there seems to be little room for success for limiting the development and use of “cyber arms”.

I found chapter 10 of the book the most interesting. It makes use of the Decision Making Trial and Evaluation Laboratory (DEMATEL) method in order to compare rank the four strategic choices. Unfortunately it is not very easy to locate online material about the original DEMATEL method, however there’s lots of available literature (and a lot of it by the Chinese) on DEMATEL variations used in health, agriculture and other areas.

To me learning about DEMATEL was the one thing I got from the book. The rest of it while interesting, was not equally appealing.

Logicomix για το iPad

Βγήκε!

How I came to read “Inside Cyber Warfare”

From time to time I am privileged enough to attend presentations on cyber warfare that are not so open to the public. In one of such presentations the speaker spoke of Schmitt’s criteria, a set of rules that can help a state decide when dealing with a cyber attack, whether it is an act of war or not.

I set off to learn more on Schmitt’s criteria and eventually found out that they are coded in “Computer network attacks and the use of force in International Law”. I contacted Professor Schmitt asking for a copy of the paper and he directed me to HeinOnline. It seemed that I should pay $30 for 24 hours of access on HeinOnline in order to download the paper. Serious books cost less than that!

So I decided to contact the person who gave the presentation from which I learned about the criteria. He recommended that I should read “Inside Cyber Warfare“. The ebook cost $30. It also happened that the very same day O’Reilly was running a special offer campaign to help the Japanese Red Cross and their Fukushima efforts, so I even bought it for less.

Whose is the loss now HeinOnline?

I cannot stress enough how much I loved “Inside Cyber Warfare”. The author analyzes recent Cyber War incidents, talks a lot about Project Greygoose and the insight that it offered to analysts. It details the three major cyber doctrines and strategies (Russia, China and the US) with lots and lots of references. It contains an analysis on the Law of Armed Conflict and how it correlates to cyberspace and in my humble opinion, it predicts both stuxnet and the RSA hack.

Jeffrey Carr (@jeffreycarr) tweeted to me that a second edition is in the works. I am eagerly waiting for it since the first one covers cyber conflicts up to 2009. And for the third. And for the rest of the editions to come. For this is a continuous book; a lifetime’s work. The landscape is changing rapidly and Jeffrey Carr has positioned himself as one of those few who can accurately and objectively depict it anytime.

PS: For those who want to read about Schmitt’s criteria, Denning’s “The Ethics of Cyber Conflict” is a good place to start:

When Does a Cyber Attack Constitute the Use of Force?

Not all cyber attacks are equal. The impact of a cyber attack that denies access to a news website for one hour would be relatively minor compared to one that interferes with air traffic control and causes planes to crash. Indeed, the effects of the latter would be comparable to the application of force to shoot down planes. Thus, what is needed is not a single answer to the question of whether cyber attacks involve the use of force, but a framework for evaluating a particular attack or class of attacks.

For this, we turn to the work of Michael Schmitt, Professor of International Law and Director of the Program in Advanced Security Studies at the George G. Marshall European Center for Security Studies in Germany. In a 1999 paper, Schmitt, formerly a law professor at both the US Naval War College and the US Air Force Academy, offered seven criteria for distinguishing operations that use force from economic, diplomatic, and other soft measures. (Schmitt, 1999) For each criterion, there is a spectrum of consequences, the high end resembling the use of force and the low end resembling soft measures. The following description is based on both Schmitt’s paper and the work of Thomas Wingfield, author of The Law of Information Conflict. (Wingfield, 2000, 120-127)

1. Severity. This refers to people killed or wounded and property damage. The premise is that armed attacks that use force often produce extensive casualties or property damage, whereas soft measures do not.

2. Immediacy. This is the time it takes for the consequences of an operation to take effect. As a general rule, armed attacks that use force have immediate effects, on the order of seconds to minutes, while softer measures, such as trade restrictions, may not be felt for weeks or months.

3. Directness. This is the relationship between an operation and its effects. For an armed attack, effects are generally caused by and attributable to the application of force, whereas for softer measures there could be multiple explanations.

4. Invasiveness. This refers to whether an operation involved crossing borders into the target country. In general, an armed attack crosses borders physically, whereas softer measures are implemented from within the borders of a sponsoring country.

5. Measurability. This is the ability to measure the effects of an operation. The premise is that the effects of armed attacks are more readily quantified (number of casualties, dollar value of property damage) than softer measures, for example severing diplomatic relations.

6. Presumptive Legitimacy. This refers to whether an operation is considered legitimate within the international community. Whereas the use of armed force is generally unlawful absent some justifiable reason such as self-defense, the use of soft measures are generally lawful absent some prohibition.

7. Responsibility. This refers to the degree to which the consequence of an action can be attributed to a state as opposed to other actors. The premise is that armed coercion is within the exclusive province of states and is more susceptible to being charged to states, whereas non-state actors are capable of engaging in such soft activity as propaganda and boycotts.

Sandworms of Dune

After suffering the shock of reading “Hunters of Dune”, the final book in the saga was a lot better. Almost as good as the House Trilogy. It still is no match to Frank Herbert’s brilliance, but it proves that had Brian Herbert and Kevin J. Anderson devoted their time and effort to create just the final chapter of the Dune saga instead of creating a cash-cow, they would have achieved something comparable.

I guess I am not a talifan after all. Just disappointed.

Feynman

It seems that “Feynman” is out today. Together with “Fallout” it has been added to my wishlist.

Hunters of Dune

How painfully boring! How totally disrespectful of the original series.

Oh how much I am not buying your excuses (from both of you).

Brian Herbert publish Frank Herbert‘s bare Dune 7 notes if you dare!

God Emperor of Dune [haiku]

Finished God Emperor of Dune
The BeBook is lighter than the book
Time passes in the bus

Solving the Dilemma of State Responses to Cyberattacks

These days I am reading “Inside Cyber Warfare” (among other things). Chapter 4 (Responding to International Cyber Attacks as Acts of War) is written by Lieutenant Commander Matthew J. Sklerov. It is a rewrite of his 111-page thesis on the subject which is available online:

→ “Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses against States Who Neglect Their Duty to Prevent”

Like I said, I have not read the Thesis, but I am reading Chapter 4 from “Inside Cyber Warfare”. It is highly explanatory of the US strategic and military dogmas, including running cross-border operations against enemies who are non-state actors.

The Deadline – A Novel about Project Management

Dimitris sent me “The Deadline” as a gift for my birthday. Written by Tom DeMarco (author of “Peopleware“) it is a novel that aims to introduce the reader to the complicate and cruel world of software project management. It also explains why most software projects fail. Clearly. In a buy-this-book-for-your-manager-to-open-his-eyes way. Team formation, design, quality control, unrealistic deadlines, goals and schedules, it is all in there. So if you need psychological support when a project goes bad, you should read the book. It is a good bus read.

It is also a book that opens doors to new worlds. Thanks to the book I learned about the adventures of Mr. Tompkins by George Gamow in which he aims to explain modern scientific theories to a popular audience. I see my stack of unread books getting higher again. I also learned about iThink which seems pretty cool (but then again I find Systems Thinking interesting enough). Pity though that iThink costs as much as it does (should I write my half-baked hack of systems thinking software? Damn! When I cannot buy, I try to write code instead and thus pay in time).

What would I change in the book? I would completely discard the very last chapter. Totally unnecessary. But no harm done, since the story is only the vehicle for the project management message and the message does get through. I’ve been lucky enough to have worked with managers like Mr. Tompkins; for this I want to end this post with the very first notes in Mr. Tompkins’s journal:

Four essentials of Good Management:

Get the right people
Match them to the right jobs
Keep them motivated
Help their teams to jell and stay jelled

(All the rest is Administrivia)

Amen to that!

A New Kind of Science

I first learned about Wolfram’s “A New Kind of Science” while reading Chaitin’s “Meta Math! The Quest for Omega“. And from there is all that I know about NKS, for its volume is prohibiting for my spare time. However, for anyone interested, NKS is available online and there’s an iPad version too.