3 Chapter 2: Fundamental Issues 3 Chapter 2: Fundamental Issues
This chapter introduces some basic issues and ideas that will be relevant for the entire course. We begin in 2.1 with fundamental concepts, including the important distinction between cyber-attack and cyber-exploitation, characteristics of cyber-operations, why offense beats defense in cybersecurity, and the attribution problem. Then Section 2.2 offers various perspectives on the seriousness of the cyber threat. Finally, Section 2.3 explores the idea of cyber power.
3.1 2.1 Fundamental Concepts 3.1 2.1 Fundamental Concepts
3.1.1 2.1.1 Cyber-Attack v. Cyber-Exploitation 3.1.1 2.1.1 Cyber-Attack v. Cyber-Exploitation
Cyber-Attack v. Cyber-Exploitation. This is a fundamental distinction throughout cybersecurity that has important legal, policy, and jurisdictional implications. A cyber-attack is an act that disrupts, denies, degrades, or destroys information on a computer network or related system. Examples include the manipulation or destruction of data or code on a computer system to control or shut down an electricity grid, or to disrupt military communications, or to render banking data unreliable. A cyber-exploitation is the act of monitoring and related espionage on computer systems, as well as the copying (and thus theft) of data on these systems. In contrast to a cyber-attack, cyber-exploitation does not seek to affect the normal functioning of the computer or network from the perspective of the user. Examples of cyber-exploitation include stolen military secrets, intellectual property, and credit card numbers.
3.1.1.1. William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Committee on Offensive Information Warfare, National Research Council; The Basic Technology of Cyberattack in Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009, pp.9-12,32.
3.1.2 2.1.2 Characteristics of Cyber-Operations (attack and exploitation) 3.1.2 2.1.2 Characteristics of Cyber-Operations (attack and exploitation)
All cyber-operations – both attacks, and exploitations – requires three things: a vulnerability, access to the vulnerability, and a payload.
3.1.2.1. William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Committee on Offensive Information Warfare, National Research Council; Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009, Chapte 2 Technical and Operational Considerations in Cyberattack and Cyberexploitation, pp.79-158
3.1.3 2.1.3 Why Offense Beats Defense 3.1.3 2.1.3 Why Offense Beats Defense
The very basic reason why computer systems are vulnerable is that offense (both cyber-attack and cyber-exploitation) beats defense.
3.1.3.1. Ross Anderson, Why Information Security is Hard -- An Economic Perspective, 17th Annual Computer Security Applications Conference (ACSAC'01), IEEE Computer Society, December, 2001. Section 4: Information Warfare - Offense and Defense
3.1.4 2.1.4 Economics and Metrics 3.1.4 2.1.4 Economics and Metrics
Many cybersecurity problems are at bottom problems about misaligned incentives.
3.1.4.1. Ross Anderson, Why Information Security is Hard -- An Economic Perspective, 17th Annual Computer Security Applications Conference (ACSAC'01), IEEE Computer Society, December, 2001
3.1.4.2. Seymour E. Goodman and Herbert S. Lin, Toward a Safer and More Secure Cyberspace, Ch. 6.4: The Economics of Cybersecurity, National Research Council, 2007, pp. 133-42
3.1.5 2.1.5 Attribution 3.1.5 2.1.5 Attribution
A fundamental difficulty with regulating cybersecurity is the “attribution problem” of identifying the author of a cyber attack or cyber exploitation.
3.1.5.1. David Clark and Susan Landau, Untangling Attribution, Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, 2010
3.2 2.2 Seriousness of the Threat 3.2 2.2 Seriousness of the Threat
There is no doubt that cybersecurity is a serious problem due to the widespread dependency on computer and computer systems, and their extraordinary vulnerability. But how much of a problem? This is a difficult issue to analyze because (as we learned in 2.1) metrics are hard to come by in the cybersecurity realm, and because many actors have incentives to exaggerate the threat.