This document summarizes key issues regarding cybersecurity and policy. It identifies four issue areas requiring attention: 1) offense will usually beat defense given enough time; 2) deterring escalation is important, but exploitation and attack during crises is difficult to distinguish; 3) restricting cyber capabilities is impossible but restricting use may be possible with challenges; and 4) attribution is difficult and not a solution against sophisticated threats. The document cautions that secrecy clouds public discussion and cyber conflict is interconnected with other domains.

1. Reflections on Possible Futures for Cyber:
Four issue areas that require attention
Herb Lin
National Research Council
2011 USSTRATCOM Cyber and Space Symposium
Omaha, Nebraska
November 15, 2011

2. SOURCE MATERIAL
2009 2010
NRC, cyberattack, policy NRC, deterring cyberattacks

3. A reminder of a few key technical points
about offensive cyber operations
 Offense will always beat defense, given enough time.
 Cyberattack and cyberexploitation are technically very similar and
look very similar to the victim.
 Cyber operations can be selective or broad in targeting.
 Selectivity implies long lead time, complex intelligence requirements,
specialized skills, higher cost.
 Bias towards early use in conflict against target of our choosing rather than
as response in active defense
 Successful cyber operations require very substantial analytical and
intelligence support (cf., kinetic operations), and policy making
apparatus to be in place.
– Technically fast but operationally slow; hence most suitable in non-time-
urgent operational scenarios (e.g., early use); “speed of light” vs “speed
of law/thought/analysis”

4. Escalation dynamics in cyberspace
• Deterring escalation is just as important (perhaps more so) as
deterring onset of conflict.
• Exploitation and attack – new twist on old problem
– How can the adversary know if we are exploiting or attacking
(exploitation during crisis is stabilizing for us, but destabilizing for them)
• Unintended escalation particularly dangerous when
– operational actions are less visible to senior decision makers
– outcomes of actions are more uncertain (e.g., cascading effects)
• How can cyberconflict be terminated?
– Requirements for “termination” – how to de-mine?
– How to suppress patriotic hackers?
– How to implement a “cyber cease-fire”?

5. On cyber arms control
• Restricting acquisition of offensive capabilities
essentially impossible.
– Can’t restrict code, expertise/knowledge, underlying technology
– Infrastructure needed to develop weapons/conduct attacks is
small, easily hidden
– Verification task essentially impossible
• Restricting use of offensive capabilities?
– “Verification” not an issue (cf., Geneva conventions)
– “No cyberattacks on critical infrastructure” similar to “no kinetic
attacks on hospitals”
– Many complications
• Why would adversaries agree given asymmetrical advantages?
• Misinterpretation of cyberexploitation vs attack during crisis
• Do we want to live with restrictions on use?

6. The meaning of attribution
• Attribution very hard or impossible if
– Attack techniques are unprecedented, AND
– Attacker has left no clues, AND
– Attacker has maintained perfect operational security (no one else knows), AND
– No circumstances suggest identity of attacker.
• Some degree of attribution may be possible if some conditions do not hold.
• Attribution has many meanings:
– ID of the machine that launched/initiated the attack
– ID of the individual who pressed the keys on the initiating machine
– ID of the nation of jurisdiction for the individual
– ID of the entity under whose auspices the individual acted.
• The relevant meaning depends on the intended purpose, and confusion
over purpose clouds discussion of attribution.
• Attribution is not nearly a silver bullet
– Does little against high-end threat, which is likely to compromise attribution.

7. Private sector involvement in
offensive cyber operations
• As facilitator of government cyber operations
– Preparation for cyberattack may require cooperation of IT vendors and
service providers to cooperate
• As beneficiary/unintended victim of government cyber operations
– If US Cyber Command can take offensive actions can help protect .MIL,
why not offensive actions to protect .COM?
• Who should conduct such operations? (Gov’t? Private sector?)
• National responsibility for private actions that rise to “use of force”
• As conductor of offensive cyber operations
– What actions should private sector be allowed to take? (What does
actually happen today is uncertain.
– Consider also
• Possible interference with national cyber operations
• Adversary response to national cyberattack may target ISPs and critical
infrastructure.

8. Some concluding observations
 The public process for “net assessment” of cyber power is inherently biased against
us
– “Their” offensive capabilities are matched against “our” defensive capabilities only.
– Uncertainties drive worst-case analysis
– “Our” offensive capabilities and “their” defensive vulnerabilities are never discussed in public.
• Offense is largely irrelevant to defense in cyberspace
– We don’t know how to do good cyber defense.
– We don’t know how to do good cyber deterrence.
– We don’t know how to do offensive operations that will enhance defense (even preemption
not helpful)
– The only thing left is offensive cyber operations for non-defensive purposes.
 Cyber conflict is not separate from other spheres of potential conflict.
 Many possible forms of offensive operations have not yet been seen.
 Secrecy clouds necessary public discussion.

9. For more information…
Herb Lin
Chief Scientist, Computer Science and
Telecommunications Board
National Research Council
202-334-3191
hlin@nas.edu
www.cstb.org