Time for industry and business to rethink the electronic battlefield
- 02 February, 2015 11:44
Over the past two decades, industrialised nations have been systematically pillaged by enterprising nations and criminal organisations that had the foresight to see the opportunities of governments, business, industry and people around the world rushing to connect to the Internet.
The principle of mutually assured destruction (MAD) adopted as a doctrine of military strategy and national security policy during the cold war years remains in force today preventing the outbreak of open warfare between major nations on the electronic battlefield, but MAD has not prevented these nations from entering an undeclared war.
Failure to address this state of warfare by the western governments has left industry, business and the wider population open as targets for cyber-warfare, cyber-crime and cyber-terrorism.
The list of governments, companies and individuals that have been compromised with the associated loss of national and defence secrets, intellectual property, personal information and billions in cash has made the Internet one of the most profitable ways today to obtain an advantage—whether this is strategic or financial.
Who is involved?
It is not only smaller countries that have been slow to mobilise defences against the plunder. Over the past decade government facilities and defence installations in industrialised nations have been routinely compromised and this is exemplified by representatives from BAE Systems, Britain’s largest defence related company, admitting that over a period of about 18 months, “Chinese cyber-attacks had taken place against BAE and had managed to get hold of plans for one of its latest fighters.” The fighter is the $300 billion F-35 Joint Strike Fighter.
This and other revelations about the scale of successful cyber-attacks on governments and major corporations were only made public when files taken from the US National Security Agency (NSA) by a former employee, Mr Edward Snowden were leaked through the media.
For those in the military that might face enemies that have been armed with weapons technology stolen from defence contractors it is little comfort when commanders give false assurances of the industrialised countries maintaining a technological edge.
Similarly, for shareholders that find their portfolio’s value diminishing when a competitor enters the market using stolen intellectual property, it is often attached to the memory of false assurances made by the company’s management team its cyber-security efforts have been successful.
Corporations with their head in the sand
The cyber-attack on Sony was possibly the most visible recent assault on a multi-national, which must have succeeded far beyond the expectations of the hackers. To lose an alleged 100TB of data and intellectual property through a cyber-attack is not only mind boggling but, for it to occur only three years after a similarly devastating attack on the Sony PlayStation Network, beggars belief. It highlights just how unprepared for cyber-crime major corporations really are.
For Sony shareholders there are no positives in what happened because governments around the world have resisted efforts to force industry and business to take cyber-security seriously. What this means is that Sony’s shareholders will need to take the loss on the chin and bear the additional cost of a marketing campaign to rebuild consumer trust with the Sony brand.
It is too late for governments and executives at corporations like Sony to realise that the Internet has become a modern electronic battlefield that is in a state of permanent flux?
The electronic battlefield is a new addition to military science
To make sense of what is happening in the modern electronic battlefield, key texts on how to prosecute warfare such as Sun Tzu’s ‘The Art of War’, Carl von Clausewitz’s ‘On War’ and Miyamoto Musashi’s ‘The Book of Five Rings’ are often cited and are used to develop strategy. But mistakes will be made if military texts are applied to what is a new and different battlefield.
Sun Tzu’s ‘The Art of War’ provides a concise definition of the science of warfare. To build a strategy for the electronic battlefield based on Tzu’s work would be adequate, but ultimately futile. To understand why, it is important to consider the science of warfare in its broadest sense.
Tzu’s work was written to provide a highly condensed series of thoughts that the reader can apply within a current context. ‘The Art of War’ commences and ends appropriately with methods that can be used to quantify relative strengths and weaknesses, and by ending the book with a final chapter on competitive analysis Tzu reminds us that warfare is about your enemy as much as it is about your own forces.
After Tzu sets the scene on how to consider competitive positions, he explores the ways in which it is possible to improve the current situation and prepare for what is to come.
In the chapters leading to the final chapter which takes us back to the competitive analysis, Tzu explores how to respond to changes in the strategic or tactical situation.
But how do you apply a text written about warfare in times past with a battlefield that spans the globe, is virtual, where tactical events occur in microseconds and combatants may never come face to face?
Government inaction puts nations in peril
How do you win on a battlefield when governments haven’t mobilised the forces necessary to counter the attacks?
The lack of action by the governments of the industrialised countries results in many thousands of cyber-attacks every day, and the consequences have been devastating.
The failure to set minimum privacy and security standards that must be complied with by organisations connecting to the Internet and the failure to enact mandatory data breach reporting combine to form the worst possible outcome. No privacy and security because it is too hard or costs too much—and no reporting of cyber-crime lest shareholders and customers learn how bad the situation really is.
Failure to force companies to report privacy and security breaches means that the police and federal bodies cannot gather the intelligence needed to take action against cyber-criminals.
The electronic battlefield today
The electronic battlefield is unusual because it hosts a multi-faceted war with many state and non-state players operating at different levels with different objectives and tempo of operations.
Force projection on the electronic battlefield to achieve anything beyond a tactical outcome is difficult to achieve because actions carried out in the electronic realm don’t take the players out of the war.
If we apply the MAD stratagem to the electronic battlefield industry—and business must realise that it’s on its own—government cannot take the actions necessary to end cyber-attacks once and for all.
For government to be able to end the war it must turn to the principle of ‘Total War’, which is one step down from MAD and an approach that is only used when nations or peoples are in dire peril.
Total War means that anything goes, take whatever action is necessary to win or to prevent catastrophe.
Would it be acceptable today for government to prosecute undeclared war using the principles of Total War to end cyber-crime?
Consider two principles of Total War: terror and devastation of the enemy’s homeland.
The Mongols, who were ably led by possibly one of the leading warriors in history, Genghis Khan utilised terror to advantage, to the point where cities would capitulate rather than be slaughtered outright, and followed up battlefield success with exploitation of all available resources including captured scientists and scholars.
The Internet is unique in that it facilitates a form of global terror unlike anything in history. Terrorists and some nations have used the Internet to distribute all manner of propaganda. It has recently reached a new extreme with videos of hostages being decapitated and instructions on how to build bombs.
The thought that the person next door, who has been radicalised by the endless news about international and millennia old conflicts, could be building a bomb using simple step by step instructions available on the Internet through a site outside a nation’s border raises the use of terror to a new level.
Understanding the principle of devastating the enemy’s homeland is straight forward. To use an example from warfare in the last millennium, would you rather your city is bombed or theirs?
Today, the electronic battlefield exists in our homeland, in our homes and we’re being devastated. Just ask Sony.
One of the greatest mistakes is for the enemy to be permitted to carry out operations on the ground of their choosing. Remember the first rule of all military strategies: wars are not won by defending.
That this means is that a multi-layered defence is a good start but without offensive capability the enemy will eventually find a way to penetrate your defences, even if it is through the use of an insider attack – remember the Trojan horse.
Focus on the perpetrators
In past wars, people that helped commit intellectual property theft which harmed the national interest were deemed to be spies or collaborators and put to death or left to rot in jail for the rest of their life. Now the penalties are so minor that governments and corporations prefer to hide security breaches rather than take action lest the nation realise what is truly happening.
The Snowden leaks provide evidence of the complicity of the US government in what must be the biggest cover-up in history.
But how do you reclaim the battlefield from the enemy if industry and business are encouraged to hide cyber-security events. It limits police and federal authorities’ access to vital information that can be used to act against cyber-criminals?
It will only be through the development of adequate forces, force projection and momentum that the tide of battle can be turned. Industry and business have an important role to play.
Industry and business cannot sit back and leave the problem to government. Western governments have largely abdicated their responsibility so it is now necessary for industry and business to act in their own, if not the national, interest.
Our response needs to take the fight to the doorstep of the criminal organisations. If this includes the governments of enterprising nations then unilateral actions may also be necessary.
How is this to occur?
The key will be to identify the people involved in cyber-attacks, cyber-crime and cyber-terrorism and to freeze their assets until such time as they can be brought to justice.
By working with private security organisations, police, federal and international authorities the perpetrators can be publically identified with steps taken to disrupt and restrict their actions until they can be removed from the battlefield. In military parlance this is to “maintain contact with the enemy”. This key warfare principle must be applied.
Business and industry needs lobby government and international bodies to target the assets of individuals and their families and any associated entities participating in illegal activities online. Every effort should be made to bring cyber-criminals to justice.
Business and industry should seek sanctions on countries supporting cyber-attacks, cyber-crime and cyber-terrorism because the outcomes achieved on the electronic battlefield can be just as devastating as a bomb falling on civilians.
So do the captains of industry have the fortitude and foresight needed to take the first steps? To work with police and authorities and to demand action in international forums? Or will they continue to wander about like lambs waiting for slaughter?
Mark A Gregory is a retired Army Officer who is now a Senior Lecturer in the School of Electrical and Computer Engineering at RMIT University.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Upcoming IT Security Events
Feb 3rd, Feb 4th, Feb 6th 2015
Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective.
March 3rd, March 5th, March 9th 2015
Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec
3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today
Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)