Silky Paws Need Claws – The Problems of Defensive Cyberstrategies

Monday, March 25, 2013

Jarno Limnéll


This article was written by Dr. Jarno Limnéll and Dr. Jan Hanska.

How many of us have not fondled and marveled at the silky softness of the paws of a cat – only to have fallen seconds later a victim of numerous bloody scratches. Wearing velvet gloves in the issues concerning cyber strategies is not a way to proceed if national security is at a stake. We might benefit more from following U.S. President Teddy Roosevelt’s motto: “speak softly and carry a big stick.” This can be reinterpreted in today’s context as advise not to speak in threatening and jingoistic tones but preparing simultaneously for use of force.

For societies and armed forces there is today no credible defense without cyber capabilities. The cyber arms race has started, and its speed is accelerating. Nations and other entities are using online weapons, because they are thousands of times cheaper than conventional armaments. But they are not bloodless, as we would like to think. Cyber weapons can damage a physical object as badly as a traditional weapon.

No responsible nation-state should aspire for the role of “North Korea of the cyber space”, issuing hollow threats in aggressive public messages but neither should we discard the notion that Realpolitik seems to be in our contemporary conjunction the way cyber policies work. The U.S. has thus far been the most vociferous proponent of the use of force in relation to cyber threats. These range from the assertion that a cyber attack, when it passes a certain undeclared threshold, will result in retaliation by kinetic weapons to the leaks suggesting that a presidential policy directive has provided the U.S. president with the ability to order a preemptive cyber strike. This is not the way to advance the peaceful development of cyber policies. The U.S. has chosen not only to shout its threats aloud, but also to wave the stick around. In the case of a superpower the claws can remain hidden – the paws themselves are sizable enough to deter aggression since it is obvious that even a careless pelt would cause damage.

As is the case with any weapon, when talking about cyber threats, the motive is crucial. Russia today has approximately 5,000 nuclear weapons that could destroy the world several times over. However, Russia lacks the intention to use its nuclear weapons. The same goes for cyber weapons. China already has very destructive cyber weapons to use against the United States’ critical infrastructure. But China does not currently have the motivation to use its cyber weapons against the U.S. It is important to separate the intention and the capability, which together make the threat.

In the case of small powers the problem is different and needs to be addressed differently. We are not aggressive in our policies – in the world of “Realcyber” we indeed cannot afford such an approach. We do not stomp around, but tread very softly in the international realm. There is, however, a difference between the soft, feline steps we do wisely to take and “frakfooting” around. If we write our cyberstrategies to be entirely defensive, without even including an offensive element, there is no way to deter aggression. A prospective cyber attacker does not shy away from probing for weaknesses and infiltrating systems and network if the severest result is that the attack will at some point peter out when defensive cyber capabilities are employed. The attack either failed, or was a partial or complete success. It would have been folly not to try, since even in the case of failure there would have been no risk of retaliation and damage from a counter-attack. When the defensive cyber strategy is coupled with offensive capabilities to be automatically employed in a counter-attack the prospective aggressor may be not be all that eager to initiate action – for fear of counter-action.

It is an old maxim of Vegetius that if you want peace, prepare for war. Sic vis pacem, para bellum. In cyber strategy this is not war-mongery but a rational approach to security. And cyberwar is comparable to traditional war in many senses as a recent NATO commissioned report Tallinn Manual on the International Law Applicable to Cyber Warfare shows us. The findings of international law experts tell that while in most cases the appropriate response to a cyberattack would be in a retaliation confined to cyberspace, in those cases where the victim has suffered death of severe property damage, it is acceptable and lawful to retaliate with traditional kinetic weapons in its counter-strike. The report also finds that even individual hackers who undertake attacks are legitimate targets for counter-strikes.

This basically implies that building and upholding capabilities for offensive cyberwar instead of restricting oneself to merely inventing systems of passive defense would thus not, even from the perspective of international, be considered as acts of aggression. The failure to create a system for offensives, to be used to protect oneself when attacked, might even lead to a situation where one becomes a more probable target of aggression. One of the “natural laws” of traditional Realpolitik was that weakness invites hostility and since cyberspace thus far has not politically developed into the same level of sophistication, agreements and pacts as the international relations of the physical world, it might be wise to adhere to the more pragmatic policy approaches of the past until cyberspace becomes more thoroughly regulated by international agreements.

We initiated this article with an allegory by comparing cyber strategy to the behavior of a cat. Indeed, no small nation-state can uphold a distinguished status within the international community by adopting a mad-dog policy of random aggression against any real or perceived threat. Instead, quite a few of the attributes and characteristics of a cat have to be taken into account to master cyber security and create a strategy to answer all the requirements of the fluid developments of today. A plausible approach to cyber security must contain the feline elements of stealth, flexibility, adaptability and dexterity – and not discard the necessity of concealing sharp extendable claws to be used for one’s protection. To settle for mechanisms of passive defense equals not only having a tomcat castrated but declawed at the same time.

Possibly Related Articles:
Post Rating I Like this!
Nathan kristen This has been a main strategy and this is working in the favor of those who are abiding it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.