Abstract

US strategy on cybersecurity and cyberwar is dominated by wishful thinking and inapt metaphors, says Stewart Baker.  Instead of bizarrely taking comfort in the notion that cyberweapons are like nuclear weapons, we should learn the lessons of an earlier war-shaping technology - the airplane.

"The bomber will always get through" was as frightening and as true in the runup to World War II as "cyberwar favors the offense" is today.  Examining how technologists and diplomats tried to deal with the threat of strategic bombing says a lot about what will work in a world of cyberweapons.

Among the lessons:  Diplomacy and appeals to the law or norms of law offer little protection against nightmare cyberweapons.  Deterrence through ever more sophisticated offensive capabilities is equally unlikely to work. Other tactics, from creating false targets to doing the obvious on defense, must be pursued at the same time that we look for ways to erode the technological advantage of the offense.

Indeed, that advantage is already eroding due to an emerging revolution in attribution. Stewart Baker argues that we have a growing ability to identify and eventually to deter attackers by exploiting their inevitable security errors. Identifying and punishing intruders must be a major part of any cyberwar or cyberespionage technological strategy. Secure systems should seek not so much to lock out attackers as to force them to make such heavy investments that they put at risk their own anonymity and their own networks. That means more digital dyepacks and network mantraps, he asserts, not stronger network walls. Oh, and online anonymity?  Toast.

Speaker

Stewart Baker is a partner in the law firm of Steptoe & Johnson in Washington, D.C. From 2005 to 2009, he was the first Assistant Secretary for Policy at the Department of Homeland Security. His law practice covers matters homeland security, international trade, cybersecurity, data protection, and travel and foreign investment regulation. As an intelligence lawyer, Mr. Baker has been General Counsel of the National Security Agency and of the commission that investigated WMD intelligence failures prior to the Iraq war. Mr. Baker is the author of Skating on Stilts, a book on terrorism, cybersecurity, and other technology issues, and he blogs about such topics on www.skatingonstilts.com.

About the WATCH series:

Transforming today's trusted but untrustworthy cyberinfrastructure into one that can meet society's growing demands requires both technical advances and improved understanding of how people and organizations of many backgrounds perceive, decide to adopt, and actually use technology. WATCH aims to provide thought-provoking talks by innovative thinkers with ideas that illuminate these challenges and provide signposts toward solutions. The series is jointly organized by NSF's Computer Science and Engineering (CISE) and Social, Behavioral, and Economic (SBE) Directorates and the Office of Cyberinfrastructure (OCI), and sponsored by the CISE Secure and Trustworthy Cyberspace (SaTC) Program. Talks will be recorded and made available over the Internet.

About NSF
The National Science Foundation (NSF) is an independent federal agency that supports fundamental research and education across all fields of science and engineering. In fiscal year (FY) 2009, its budget is $9.5 billion, which includes $3.0 billion provided through the American Recovery and Reinvestment Act. NSF funds reach all 50 states through grants to over 1,900 universities and institutions. Each year, NSF receives about 44,400 competitive requests for funding, and makes over 11,500 new funding awards.MORE