The Cybersecurity Dilemma in a Nutshell

Link post

The Cybersecurity Dilemma: Hacking, Trust, and Fear Between Nations organizes its arguments in a fairly no-nonsense, premise –> premise –> conclusion manner that I thought would be good to summarize with a blog post. You can buy the book here.

The argument:

Security dilemmas are dangerous because in seeking their own security, states often build capabilities and take actions that can directly threaten the security of other states: often creating impressions of imminent offensive intent and prompting escalation. This is especially true for cybersecurity for several main reasons:

States that desire options for future cyber operations must make intrusions in advance.

  • The sequential stages of cyber-attack (target acquisition, development, authorization, entry, establishing command and control (C2), pivoting, payload activation, and confirmation) can take a very long time.

    • E.g. time required to find zero-days, develop exploits and new tools, get authorization, get past defenses such as airgaps, set up C2 and to make pivots within networks all without revealing presence.

  • There is little “momentum” between stages of a cyber-attack since the attacker has to reorient themselves, and this incentivizes early intrusion.

  • Options for persistence within networks incentivize early intrusion.

  • Without moving early, states miss-out on developing economies of scale in capability from re-using code and knowledge

States that desire options purely to defend themselves also have the incentive to intrude early as the defensive process of preparation, detection, data collection, analysis, containment, and decontamination benefit from making intrusions.

  • Intruding to learn the strategic intentions of potential intruders

  • Intruding to learn potential intruder’s means of intrusion and to develop countermeasures

  • Intruding to find out if intrusions have already been made and to discover operations in progress

Cyber intrusions for intelligence gathering will be perceived as more threatening than past intelligence operations

  • They provide means of deliberate targeted attacks as well as accidental disruption, since breaking a network can be easier than espionage

  • They provide a beachhead for future operations and intrusions

  • They change the conditions of conflict and competition via:

    • Enabling joint operations with cyber effects

    • Providing insight into the defender’s intentions, capabilities, and decision-making processes

    • Disclosing the defender’s capabilities in advance

    • Enabling economic espionage

  • They provide counterintelligence challenges via:

    • Intruding into intelligence agency networks to learn about their internal workings, operations, capabilities, communications, methods, and subject knowledge

    • Expanding operational opportunities to spread through other intelligence networks

    • Undermining intelligence efficiency with fears and paranoia

The traditional mitigations to the security dilemma are less effective for the cybersecurity dilemma

  • Cyberspace is perceived as an offense dominant domain of conflict, as it presents large attack surfaces that are difficult to defend since cyberspace is highly interconnected, allows nearly instant intrusion, lacks many parallels to natural “defensive geography”

  • The differentiation between offensive and defensive measures and capabilities in cyberspace is not easy for cost-effective means of cyber defense

    • Successfully defending and monitoring entire networks and patching all vulnerabilities is prohibitively expensive, so means of defense intrusions into adversary networks to learn about intentions and capabilities are inevitable

    • Defensive intrusions can provide means for offensive operations in the future

  • It is difficult for states to send credible signals of restraint since the covert nature of cyber operations can conceal their scale and threat

  • Resolving uncertainty about motives via communication is more difficult with respect to cyber operations and cyber defenses since states have the incentive to keep secret their capabilities in order not to lose them.

The cybersecurity dilemma is also more complex to solve than the normal security dilemma since cyber capabilities are harder to assess than military power and status quo behaviors are likely to change as norms for mutually acceptable behavior have yet to be ironed out.

Counter-arguments:

In response to these arguments establishing the “cybersecurity dilemma” as a serious problem in international relations, there are a few counter-arguments which the book seeks to address:

  • That attribution in cyberspace is impossible…

    • Which often is not true for well-resourced actors and even when true is likely to lead defensive forensic intrusions into suspect networks

  • That cyber threats are not existential…

    • But threats need not be existential to merit or incentivize responses

  • That cyber capabilities are so unevenly distributed that detecting a network intrusion does little to impact a state’s overall fears…

    • However, states with more symmetric capabilities will still face such dilemmas, and wealthy states face asymmetric threats that still prompt defensive intrusions

Ways to partially mitigate the cybersecurity dilemma:

  • Increasing short-term stability with baseline cyber defenses to remove vulnerabilities and increase the odds of purging intruders from networks

  • Building trust between states by improving bilateral relationships

  • Minimizing the risk of misinterpretation of intentions via unilateral actions to credibly demonstrate commitments to stability (E.g. disclosing zero-day vulnerabilities so they can be patched)

  • Establishing and communicating a status quo posture for responding to cyber intrusions