What I have been wondering for quite a while now is how different cyber warfare is from other – regular – forms of warfare. Regular warfare includes insurgency and nuclear deterrence but not cultural warfare for example. Of course there is a reason why I am wondering about that. If cyber warfare is similar to other forms of warfare, of course there are conclusions we can draw from it and therefore adapt it to our strategy how to deal with cyber warfare. All of that without starting from the scratch again. That would be nice and would also save some time and money. Where the latter is not the problem, time is definitely a crucial element in cyber warfare. Of course that is a broad topic that I would like to cover today. What I was wondering in particular is what broader – grand strategy maybe – choices we do have when it comes to cyber warfare.
Basically there are three forms of National Security Strategy we can pursue. Not having network connections or having autark systems is one that I did not include in that article for a lot of reasons. So the first option is to remain passive at all. Building up IT-Security. Fixing and patching it whenever it is necessary. Of course, sometimes we might lose. Attacker numbers increase but at least we have some sort of strategy. I would like to call that kind of cyber defense the ‘white helmets’. I leave the reason for that name up to you. Should be obvious though.
The second form would be a bit more active. I would like to call it pro-active defense or the ‘gray helmets’. It includes everything the former did but in order to decrease the number of potential attackers it goes beyond it. Once attacks are notices, everything will not only be done to secure the perimeter but also to trace the attacker. Depending on where he comes from and what he was already able to steal appropriate actions are taken. For example, stolen data is deleted or police is alarmed about his existence. Also, corrupting files on his computer which may have something to do with the ‘crack’ would be considered under that option.
The third form then would be the ‘black helmets’. It includes all the former plus active search of POTENTIAL threats. Hacking into computer systems of suspects in order to pre-emptive prevent attacks on the perimeter. That might also involve foreign intelligence or other national agencies. As long as it serves the purpose to stop any potential attacker from entering our system.
In reality, even though the latter never admitted, all of these measures might form the national security strategy. However, what should be stressed on is a quite obvious question. And for that, I would like to come back to the comparison to other forms of warfare. In detail: nuclear warfare. The concept of nuclear warfare is complex but basically relies on deterrence in order to not fight the war. Of course, if you do not have nuclear weapons you are in a very bad position. The same is true with cyber warfare. You cannot say: Oh well, we do not do anything so no one will harm us. That is bullshit. As long as you have something interesting (or just something that you do not want to get destroyed) you have to become active. If you have a well-known but not legally connected team of black helmets in your repertoire, deterrence might work in your favor. At that point it does not even matter if you regularly use it or not (and at that point it already differs from nuclear strategy) as long as you have it and others know of it, then it works in your favor. On the other hand, if it is widely known that you only try to secure your perimeter without and retaliation, every single script kiddy might tries his luck to hack into your system. Even if most of them do noes succeed, it generates a lot of annoying noise that might lead to deception. Not something we want, right? So there is an actio-reactio principle in place. If you harm us, we will harm you. We have the the ability to (deterrence), so better not mess with us. At that point we can apply social constructivism and say: as long as your opponent believe that you have the ability to trash his virtual place, he might not wanna mess with you. At that point it does not matter if you have a handful highly-skilled IV league hackers at your command or not. Simply the outside world believing it is enough. However, in the fake anonymity, the Internet provides, people might not care about it and give it a shot. And that is why you have to be ready to make an example of some attackers.
Whether gray or black the helmet may be, it better be darker than white.