Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Afterbytes: The "Cyberwar Battlefield"

Article Title: Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years

Date: April 6, 2010

Vice Admiral Bernard McCullough, commander of the Navy Fleet Cyber Command, estimates that the command will establish a proactive defense posture by October 2010. Speaking at the Center for Strategic and International Studies, McCullough said that the military is traditionally reactive and static, but we need to be proactive, dynamic and predictive. He noted that we have to start seeing the network as a weapons system, and the domain as the battlefield. McCullough acknowledged that transforming perceptions will take time but believes the command will have predictive capabilities within two years...

Reference: Navy cyber leader expects proactive capabilities this year

I like "proactive" - it's a good dynamic buzzword, if you're the kind of person who is impressed by action-y sounding verbs. But "predictive"?


First off, let's dismiss the "cyberwar" hype about seeing the network as a battlefield. It's not a battlefield, it's a network. Metaphors are wonderful, in their place, but if you get blindly metaphorical, you wind up losing track of very important details. Networks have some of the properties of a battlefield, but only at the most surface level; there are a lot of things about networks that are very different from real battlefields:

  • There is no actual terrain, so "holding" and "defending" have different meaning. Consequently, "attacking" has different meanings as well. Aeron Chair Sun Tzus need to consider what "attacking" means when your target can be replicated, reconfigured, moved, and has no positional strategic value.
  • Information is the coin of computer security, and - unlike territory or a tactical objective such as a pillbox or a castle - can be "taken" without it being clear that the attacker has done so. Again, does the word "attack" have the same meaning regarding information as it does regarding a conventional military target?
  • In real battlefield environments, strategic surprise is very hard to achieve, and significant tactical surprise is getting harder and harder all the time. In a network, that's not the case at all.

I could go on and on but you get the point. Why are warfighters talking arrant nonsense? I'd be much more comfortable if the Aeron Chair Sun Tzus were talking about networks as if they understood them, rather than poorly analogizing networks as battlefields. I'd be impressed (a bit) if I heard someone talking about how to attack a target in which the enemy has the potential to fold the "battlefield" up and put it away as soon as it comes under attack, or that logistics has more to do with breadth and evolvability of knowledge-bases than static knowledge - a problem that real battlefields don't have at all. What's scary about this "network as a battlefield" analogy is that it's so wrong it makes me think that the Aeron Chair Sun Tzus aren't actually thinking of the battlefield of the future at all - they're wrestling with mental imagery of castles and drawbridges when they should be thinking about measuring the differences between opposing knowledge-bases. I despair, I really do. When the cyberwar pundits say "we'd lose a cyberwar" it's because their vision and understanding of the problem is medieval.

Now, let's talk about "predictive" for a moment. Would anyone care to guess what on earth Vice Admiral McCullough is talking about? On the surface, "predictive" analysis in warfare is only done through targeted intelligence - you have to be so far into the enemy's preparations that you can reliably tell the difference between offensive operations that are about to happen, and simple preparation. Again, the battlefield metaphor completely breaks down; you can "predict" an attack when you see an enemy's tanks massing on the border, or you observe important changes in their logistical train. Or, as the case may be today, you turn on CNN and they announce that a "big attack is in the works for such-and-such town in Afghanistan" - but how do you predict operations in a "place" where your enemy has no need to reconfigure forces prior to an attack? The metaphor completely does not work.

How do you predict an enemy's operations in a network? It's simple: you have to be inside their command loop - in other words they have to tell you what they are going to do, and you need to have good enough information to sort the disinformation from reality. Back when I was working on intrusion detection systems, we used to periodically get customers who'd say that they wanted IDS data so they could react in response to an attack. We'd gently explain to them that it's easy to predict when you're going to come under attack - because the answer is "constantly." What you really want to know is not whether you'll come under attack, but whether the attacks you're under right now are working. Again, the battlefield metaphor breaks down because the dynamics of attack and defense on a network are nothing like they are on real ground: you can potentially cause entire categories of attack paths to cease to function, or exist, with a single mouse-click. I don't care if you're attacking me, I care if you're succeeding, and the battlefield notion of numerical advantage is meaningless because the defender can (or ought to be able to) reconfigure the battlefield unilaterally. What does this have to do with "predictive" activity? It means it's pointless - predicting an attack is going to be worthless compared to being able to rapidly react to a successful penetration. To abuse a metaphor a bit, predicting a cyberattack is about as useful as predicting that a sniper's bullet is going to hit between your eyes after it's 3/4 of the way through its trajectory. The military value of prediction is pre-emption or re-configuring defenses (in the sniper scenario, that would be: ducking) neither of which may make any sense in a network environment - unless you're trapped in the battlefield metaphor instead of networked reality.

"Predicting" attacks means being able to predict the future. Anyone who can write a piece of software that can predict the future has solved the hard artificial intelligence problem - because that's a measure of what intellect is - it's our evolved ability to try to predict the future. I'm really worried that our "cyberwar" strategists are so busy wrestling with the wrong metaphor that they're going to completely forget to come to grips with the actual problem of computer, information, and network security. It's not a battlefield, it's a network!