Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Afterbytes: The "Cyberwar Battlefield"

Article Title: Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years

Date: April 6, 2010

Vice Admiral Bernard McCullough, commander of the Navy Fleet Cyber Command, estimates that the command will establish a proactive defense posture by October 2010. Speaking at the Center for Strategic and International Studies, McCullough said that the military is traditionally reactive and static, but we need to be proactive, dynamic and predictive. He noted that we have to start seeing the network as a weapons system, and the domain as the battlefield. McCullough acknowledged that transforming perceptions will take time but believes the command will have predictive capabilities within two years...

Reference: Navy cyber leader expects proactive capabilities this year

I like "proactive" - it's a good dynamic buzzword, if you're the kind of person who is impressed by action-y sounding verbs. But "predictive"?


First off, let's dismiss the "cyberwar" hype about seeing the network as a battlefield. It's not a battlefield, it's a network. Metaphors are wonderful, in their place, but if you get blindly metaphorical, you wind up losing track of very important details. Networks have some of the properties of a battlefield, but only at the most surface level; there are a lot of things about networks that are very different from real battlefields:

  • There is no actual terrain, so "holding" and "defending" have different meaning. Consequently, "attacking" has different meanings as well. Aeron Chair Sun Tzus need to consider what "attacking" means when your target can be replicated, reconfigured, moved, and has no positional strategic value.
  • Information is the coin of computer security, and - unlike territory or a tactical objective such as a pillbox or a castle - can be "taken" without it being clear that the attacker has done so. Again, does the word "attack" have the same meaning regarding information as it does regarding a conventional military target?
  • In real battlefield environments, strategic surprise is very hard to achieve, and significant tactical surprise is getting harder and harder all the time. In a network, that's not the case at all.

I could go on and on but you get the point. Why are warfighters talking arrant nonsense? I'd be much more comfortable if the Aeron Chair Sun Tzus were talking about networks as if they understood them, rather than poorly analogizing networks as battlefields. I'd be impressed (a bit) if I heard someone talking about how to attack a target in which the enemy has the potential to fold the "battlefield" up and put it away as soon as it comes under attack, or that logistics has more to do with breadth and evolvability of knowledge-bases than static knowledge - a problem that real battlefields don't have at all. What's scary about this "network as a battlefield" analogy is that it's so wrong it makes me think that the Aeron Chair Sun Tzus aren't actually thinking of the battlefield of the future at all - they're wrestling with mental imagery of castles and drawbridges when they should be thinking about measuring the differences between opposing knowledge-bases. I despair, I really do. When the cyberwar pundits say "we'd lose a cyberwar" it's because their vision and understanding of the problem is medieval.

Now, let's talk about "predictive" for a moment. Would anyone care to guess what on earth Vice Admiral McCullough is talking about? On the surface, "predictive" analysis in warfare is only done through targeted intelligence - you have to be so far into the enemy's preparations that you can reliably tell the difference between offensive operations that are about to happen, and simple preparation. Again, the battlefield metaphor completely breaks down; you can "predict" an attack when you see an enemy's tanks massing on the border, or you observe important changes in their logistical train. Or, as the case may be today, you turn on CNN and they announce that a "big attack is in the works for such-and-such town in Afghanistan" - but how do you predict operations in a "place" where your enemy has no need to reconfigure forces prior to an attack? The metaphor completely does not work.

How do you predict an enemy's operations in a network? It's simple: you have to be inside their command loop - in other words they have to tell you what they are going to do, and you need to have good enough information to sort the disinformation from reality. Back when I was working on intrusion detection systems, we used to periodically get customers who'd say that they wanted IDS data so they could react in response to an attack. We'd gently explain to them that it's easy to predict when you're going to come under attack - because the answer is "constantly." What you really want to know is not whether you'll come under attack, but whether the attacks you're under right now are working. Again, the battlefield metaphor breaks down because the dynamics of attack and defense on a network are nothing like they are on real ground: you can potentially cause entire categories of attack paths to cease to function, or exist, with a single mouse-click. I don't care if you're attacking me, I care if you're succeeding, and the battlefield notion of numerical advantage is meaningless because the defender can (or ought to be able to) reconfigure the battlefield unilaterally. What does this have to do with "predictive" activity? It means it's pointless - predicting an attack is going to be worthless compared to being able to rapidly react to a successful penetration. To abuse a metaphor a bit, predicting a cyberattack is about as useful as predicting that a sniper's bullet is going to hit between your eyes after it's 3/4 of the way through its trajectory. The military value of prediction is pre-emption or re-configuring defenses (in the sniper scenario, that would be: ducking) neither of which may make any sense in a network environment - unless you're trapped in the battlefield metaphor instead of networked reality.

"Predicting" attacks means being able to predict the future. Anyone who can write a piece of software that can predict the future has solved the hard artificial intelligence problem - because that's a measure of what intellect is - it's our evolved ability to try to predict the future. I'm really worried that our "cyberwar" strategists are so busy wrestling with the wrong metaphor that they're going to completely forget to come to grips with the actual problem of computer, information, and network security. It's not a battlefield, it's a network!

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training