Never Fight A Land War in

Cyberspace: The Best

Defense is a strong Defense

Marcus J. Ranum

(mjr@tenable.com)

For you twits: @mjranum

Marcus works for

Tenable Network Security, Inc.

Apology in Advance

• This is going to sound like a bunch of neeping

– But it’s relevant

– Computer security is in line to become another US

disaster area of foreign policy

– We need to keep an eye on what the armchair

cyberwarriors are doing because they’re busy

developing cinder-block throwing techniques for

the department of glass houses

So, What’s Up?

• The people who are pushing the US to

become a cyberwar power are preparing the

same strategies that have failed to work in the

past

– It’s important to deconstruct and understand

strategy in a domain before you can drop down

into tactics

– Otherwise: “Tactics without strategy is the noise

before defeat”

– This affects us all in the security community

Some Terms

• “Cyberwar” - ‘conflict in cyberspace’

• “Topological warfare” - conflict in realspace;

where distance, time, position, logistics and

he constraints of reality apply

• I used to think “cyberwar is bullshit” in the

science fiction novel sense

– If you take the narrower definition, it’s real enough

Strategy / Tactics

• Strategy is the big “why” and big “how”

– Generally at the level of conflict and purpose

• Tactics is the details of how to get the thing

done

– Generally at the level of battlefields and terrain

• The question, then, is whether we have a

useful sense of how cyberwar is fought

The Argument That Follows

• Our concept of conflict is so deeply

embedded with topological artifacts that we

are unable to think clearly about cyberwar

tactics or strategy

– If we’re going to do it, we should understand it

– If we’re going to defend against it, we should

understand it

• Our understanding of “offense” and “defense”

is profoundly flawed

“The Best Defense…”

• Military maxim going back … probably forever

• There are sound reasons why it’s good,

rooted in topological warfare

– Spoiling attack*

– Defeat in detail

– Control of time, place, and rhythm

* For purists, these are all really the same thing

Spoiling Attack

• Attack your enemy as they are marshalling

their forces

– Hit them while they are preparing to maneuver

and are off-balance

– Takes control of time/space/initiative away from

them

• When cyberwarriors talk they are often

casting cyberwar as a spoiling attack

Defeat in Detail

• Good example: Caesar at Alesia

– If your opponent’s maneuver elements cannot

tactically support eachother …

… attack one, then the other

– Sun Tzu formulates this as:

• Have your best troops attack your enemy’s

second best troops, your second best troops

attack their worst troops, and have your worst

troops try to delay their best troops long

enough for the best/2nd best to finish their work

Control of Time, Place,

Rhythm

• John Boyd’s notion of OODA (Observe Orient

Decide Act) loops is a popular way of thinking

about this

– The simpler form is to acknowledge that if you

attack first your opponent must respond to defend

at a time and place you chose

– You can always attack a weaker place (thereby

maximizing your forces)

– or attack to “draw” a counter (thereby controlling

their movements)

How This Works in Samurai

Movies or Spaghetti Westerns

• You attack the opponent who has the greatest

apparent situational awareness

– Go for the opponent who’s going for their gun, or

who is maneuvering to get behind you

– Down them, then go for the one who is

maneuvering next most effectively

– etc

How This Ends in Samurai

Movies or Spaghetti Westerns

• Eventually the bad guys realize you’re

mowing them down and stop being bad guys

– This is called “deterrence”

The Problem

• Those principles of maneuver only have

meaning in topological space

– For one thing, they are deeply rooted in the

historical land-war notion that you know where

your enemy is and who your enemy is and how

many enemies you have

• How does that apply to cyberspace?

• The theme that forces support each other by

proximity also does not apply at all*

* For purists: combined arms go out the window

For Another Thing

• The idea of deterrence goes completely out

the window

– When you have enemies you don’t know you

have you can hardly threaten them …

… Unless your strategy is to be so terrifying and

ruthless that anyone who’s even thinking of going

up against you is too scared to try

For Another Thing (2)

• Ghenghis Khan succeeded in that

• Imperial Rome succeeded in that

Two Possibilities

• Possibility 1:

– The proponents of cyberwar utterly do not

understand what they are doing

• Thus they are “the noise before defeat”

Two Possibilities (2)

• Possibility 2:

– There is an underlying, unspoken, strategic

direction to achieve such a level of dominance that

no opponent that exists or might arise can offer

a plausible threat

– Right? Because unless you can utterly dominate

everyone, someone better than you can

materialize; in cyberspace you can’t preempt them

Defense

• In a domain where you may have multiple

unknown foes

– Who can attack at any time

• In a place of their choosing

You have to defend everything well against

everyone

– I hate to say this but that vindicates the strategy

most people have followed with firewalls!

Defense (2)

• In fact, the observation that strong defense in

depth is pretty much the only thing that has

ever been shown to be at all effective in

cyberspace …

… kind of argues my point

– Having reality on your side really doesn’t hurt

Military Maxims of Cyberwar

#1: In cyberspace, every attack is always a

surprise attack

#2: In cyberspace, the best defense is a strong

defense

Why This Matters

• Cybersecurity has become an issue of foreign

policy

– US has threatened “retaliation” against N Korea

for Sony break-ins

– US has threatened sanctions against China

– US NSA hasn’t done anything to penetrate other

countries’ critical infrastructure at all

• Our question is “does the US’ cybersecurity

strategy” actually make sense?

Why This Matters (2)

• Back in 2008 I started floating the idea that

cyberwar may become a “weapon of

privilege”

– Other weapons of privilege: nuclear WMD

• Unfortunately, US cybersecurity strategy

continues to point in that direction

– That has serious and sobering implications

We’re At The Front Line

• In cyberwar the “best defense is a strong

defense” paradigm means acknowledging

that everything/everyone is a potential

target and hardening them all accordingly

– That’s why US government policy regarding

cyberwar should scare you

– If the government’s systems were actually

outstandingly tough…

… you’re the remaining target

What Should We Do?

• Continually press the US for a sensible and

egalitarian policy toward cybersecurity conflict

internationally

• Continually press the US to defend

government systems appropriately

• Continue to stress the point that orienting

towards offense does not strengthen defense

• Keep defending our systems

Thank You

• Long form of this argument:

– http://fabiusmaximus.com/2015/02/23/cyberwar-

attack-defense-tactics-79170/

– Intended to someday be part

of a series encompassing

asymmetrical warfare and

the concept of “victory”