we will learn about a definition of deterrence used by the DoD. I don't want to spoil the fun, but in summary, their definition of deterrence includes three elements:
You should recognize that this use of the word “deterrence” is a little broader than the way it is used in casual speech. But it does a wonderful job of capturing the three main categories of actions that can be taken to improve cybersecurity.
What is the Value of Technical Defenses, i.e., Denial?
I've said before that this course is not about technical defenses, there are other courses that cover that better. And you've seen that technical defenses are not sufficient to stop cyber attacks.
I still want to make it clear that none of this is to say that we shouldn't be putting more efforts into technical defenses. We should. Again, it's just like home security. While it is true that locking your doors doesn't keep out a burglar who really wants to get in, it will stop burglars who are just looking for an easy target.
And it is true that the vast majority of known cyber attacks still get into networks using exploits of well-known vulnerabilities. Attacks like Stuxnet that use multiple zero-day exploits are quite rare. Or at the very least, they are rarely discovered.
Removing all well-known vulnerabilities doesn't guarantee you won't be attacked, the attackers will just have to work harder, which means there will be fewer that are willing/able to attack.
Who is Responsible for “Denial”?
The home security analogy breaks down as you start to get very deep into it, and one of the important ways in which cybersecurity is different is that you may be the victim of the cyber attack without having had any opportunity to put up a defense. If you applied for a security clearance anytime in the last 15 years or so, you are a victim of the OPM attack. If you shopped at Target you may have been a victim of the Target attack. George Clooney was a victim of the attack on Sony (his emails were published). But neither you nor George Clooney could have stopped those attacks even if you had great technical skills.
It gets much worse than that when you consider critical infrastructure. If electrical generators are attacked and destroyed, millions of people could be left without power for days, leading to billions of dollars of losses and likely multiple deaths suffered by people and organizations that had no ability to stop the attack. And the worst case scenarios are much more dire than this.
And before you start feeling too much like a helpless victim, remember that you aren't off the hook either. If you are sloppy with security on your home computer, you may become part of a botnet that sends spam to me. Or that participates in a DDOS attack against the White House. Or an attack on critical infrastructure may be routed through your computer in order to hide the identities of the real attackers.
It may be a cliché, but it is true, cybersecurity is everyone's responsibility. Much of weeks 8 and 9 will consider ways to encourage everyone (though primarily organizations) to take more responsibility for cybersecurity. Regulations, incentives, market forces, lawsuits, etc.
Who is Responsible for “Response”?
Though it depends upon circumstances and local laws, in general you have the right to respond with force in order to protect yourself from a burglar.
There's no real analogy in a cyber attack. Even if you had the skills to attack back, identifying the attacker (the attribution problem) may be impossible. Not to mention that there's no law of self defense on the internet.
Response to cyber attacks is pretty much limited to the government. If the attacks come from within the country, we hope that law enforcement can track down the attackers and prosecute them. Unfortunately, cyber investigations are still much less likely to lead to successful prosecutions in real life than they are on TV. But without a doubt, law enforcement capabilities in this area are improving significantly.
For our purposes, the more interesting question is what happens when the attackers are outside of the country. If we have the cooperation of the other countries, it may still be possible to treat it as a law enforcement issue. That does work sometimes, there have been some well publicized cases of cybercriminals that have been caught through international investigations.
But this isn't possible if the other countries don't cooperate or if attackers are the governments themselves or closely aligned patriotic hackers. In those cases, we have to rely upon diplomacy, international law, and potentially military force for response. This is an area that is new and there are few ground rules or understandings. We'll spend most of week 7 considering these issues.
What About Resilience?
Resilience is certainly the most neglected of the three elements of deterrence, and can be a fairly difficult topic, so we won't have much to say about it in this course. Here's a nice description of resiliency:
“Cyber resiliency assumes that an advanced adversary will be able to establish a presence on an enterprise’s systems or networks, and frequently will be able to maintain that presence despite defender actions. Cyber resiliency therefore focuses on taking appropriate actions to ensure that the organization’s mission can continue despite compromise of some aspects of the system by the adversary. As cyber resiliency techniques mature and are more widely adopted, the disciplines of cyber resiliency, cyber security, and conventional security will merge.”