Dec. 22, 2021

Paradigm Change Requires Persistence - A Difficult Lesson to Learn

Persistent engagement and defend forward are new cyberspace concepts and approaches that are gaining traction across the cyber enterprise. They challenge the assumptions and prescriptions of deterrence theory and thus require perseverance in ensuring the right lessons are learned. Claims by some that SolarWinds represents a failure of these approaches misses the mark in many respects, most of all by applying deterrence metrics inappropriately. Rather, recent experience has demonstrated that competition in cyberspace is going to be continuous. Competing requires persistence rather than episodic responses, and anticipation rather than reaction.

Dec. 22, 2021

All That Which Is Old, Is New Again – Unlearned Lessons about Metrics of Success in Cyber

In September 2009, the ABA Standing Committee on Law and National Security, the National Strategy Forum, and the McCormick Foundation held a workshop assembling approximately 35 experts on national security threats in cyberspace. The 46-page report, National Security Threats in Cyberspace, explored the then cyber threat vectors, legal frameworks, organizational questions and what the future would bring, among other topics. Our reporter was Paul Rosenzweig; as always, he captured the essence of the discussion – and we ended the report with a chapter on the "Metrics for Success." In short, all that was old is new again – this report is almost 13 years old, but all the metrics remain relevant and the same, and sadly, to a great extent, the metrics reflect policies not met.

Dec. 22, 2021

Powering the DIME: Unlearned Lessons of Asymmetric National Power in Cyberspace

The United States (US) has a long history of proportional and in-kind response to adversary aggressions. If a US aircraft is shot down, the US will bomb anti-aircraft emplacements and runways or attain air superiority by clearing the skies of other fighter aircraft. If hostile actions are committed in cyberspace, the US will respond with limited cyberspace actions in an attempt to restrain escalation to a kinetic conflict. The US has failed to learn the lesson that conflict in the cyber age is inherently asymmetric and that cyber attack responses need not be quid-pro-quo. There is a range of diplomatic, economic, and information options for effective responses that follows the international legal principle of proportionality and do not necessarily result in escalation to the kinetic actions of warfare. The US should use, and be willing to target in others, all the DIME instruments of national power – i.e., diplomacy, information, military, and economic - to respond to and prevent future aggressions in cyberspace.

Dec. 22, 2021

Writing the Private Sector Back into the Defense Equation - Unlearned Lessons

Global supply chains received a one-two punch in 2020. The ongoing US-China trade war and COVID-19 made it clear that the increasingly complex, fragile, and opaque global supply chains were no longer sustainable. These significant shocks, coupled with the SolarWinds supply chain compromise and growing concerns over data security and digital supply chain risk, have caused many in the private sector to rethink their global footprint. These global transformations also create a rare opportunity to rethink the role of the private sector in national security.

Dec. 22, 2021

What Corrodes Cyber, Infects its Offspring: Unlearned Lessons for Emerging Technologies

What infects the cyberspace societal substrate also infects its technological offspring. Whatever relies on the current shoddy, insecure cyberspace substrate inherits its vulnerabilities. This great silent unlearned lesson among technologists, promoters, government officials, and ignorant or optimistic users seems self-evident and yet is repeatedly unlearned. It would seem self-evident that, unless the underlying substrate is transformed to be securable, any new technology built on those insecure cyber foundations will, in turn, fall prey to the same assaults. That adversary and criminal campaigns to poison data, corrupt algorithms, and 'p0wn' development processes are fairly predictable is logically obvious for AI systems as well as quantum, robotics, autonomous systems, synthetic biology, and any other emerging technologies. They all rely on the highly corruptible, existing cyberspace substrate and inherit its attack surfaces in addition to new ones of their own.

Dec. 22, 2021

Extracting Unlearned Lessons from Past Poor Choices lest They be Learned the Hard Way in the Future

Unlearned lessons are those insights missed from a past situation. When we do not learn from experiences, we continue to make the same decisions in similar situations. In the case of the United States, unlearned lessons undermine the future security and prosperity of democracies. The results of unlearned lessons can be the individual’s free choice, but others, including some facing us now, heavily burden the future with the collective history of other prior choices. More volatile times face open societies globally. As Nassim Taleb observes, when the tails of a probability distribution get fatter, the predictable becomes a function of the distribution's extreme values and only those extreme values. In multiple publications, Taleb argues that the world is "undergoing a switch between continuous low-grade volatility to a process moving by jumps, with less and less variations outside of jumps." The faster the rate of systems change, the heavier become those tails, due mostly to the growth of unrecognized interdependence between the moving parts. In the statistical analysis of systems, if one is uncertain about the tails of the data, then one is uncertain about the mean as well. Yet, the faster the rate of systems change, the heavier become those tails, due mostly to the growth of unrecognized interdependence between the moving parts, and thus the less useful for learning are their means. Such a situation requires the prudent person to plan for maximal damage scenarios, not for most probable scenarios, and to ensure that the choices they make along the way offer reasonable and secure alternatives when the worst scenarios emerge.

Dec. 22, 2021

Four Questions Indicating Unlearned Lessons Concerning Future Military Digital Systems and Fleet Design

The US military knows well that it is fully engaged in ongoing 'peacetime' cybered conflict against state and nonstate actors intending to harm the US and its allies and partners.[1] This enduring conflict is driven by various motives and takes myriad forms, ranging from ransomware attacks and theft of technical intellectual property to what is, in effect, cyber privateering and piracy. Various issues afflict the cyberspace substrate and extend deep into the socio-technical-economic system (STES) of modern Western democracies. Given the grievous damage that could be done, these vulnerabilities—many self-inflicted—are astounding. Yet, to some extent, the US military (and perhaps its allies as well) perceives its forces and systems to be partially immune (at least internally) from these 'civilian' vulnerabilities since it has 'secure' communications, networks kept apart from the public internet, and air gaps between weapons systems and outside digital threats. But is this accurate?

Dec. 22, 2021

Content as Infrastructure: The Unlearned Lesson about Cyber Security and Information Integrity

Informational content is just beginning to be properly considered as an urgent infrastructure security concern in addition to the physical integrity and functionality of the computers and telecommunications networks that enable the transmission of such content. The 2016 and 2020 presidential elections in the United States (US) raised awareness about disinformation campaigns and greatly increased both public and private sector efforts to combat foreign influence operations. But the importance of informational content goes far beyond its potential cognitive impact on human actors, such as voters. Automated industrial control systems (ICS) and Internet of Things (IoT) devices can be adversely impacted, or even maliciously manipulated, as well. In a world of heightened reliance on artificial intelligence (AI) and/or machine learning (ML) algorithms – which require large volumes of training data – content becomes part of the infrastructure, because each datum that is processed contributes to the future functionality of the algorithm. AI/ML algorithms that are trained on or receive disinformation inputs will yield imperfect outputs.

Dec. 22, 2021

Unlearned Lessons from the First Cybered Conflict Decade – BGP Hijacks Continue

Unlearned lessons are those where the harm, attack methods, or malicious tools are demonstrated publicly and yet neglected by those who need to respond or better plan for future attacks. By 2010, reports of network traffic hijack attacks – called here Internet Protocol (IP) or Border Gateway Protocol (BGP) hijacks – had already surfaced. Most notably publicized was the China Telecom IP hijack attack in that year where 15% of the global Internet traffic was rerouted or "hijacked" through servers in China.While the scale of this original event has been debated, there is little doubt that throughout the following decade, attacks of this kind continued. Eight years later, in 2018, we reported on China Telecom using its otherwise seemingly innocent network servers to reroute (or hijack) Internet traffic through China at its will. At the time, the company had 10 "points of presence" (PoPs, locations where a company's routing equipment is located) in North America, each strategically located and available to hijack or divert network traffic through China from North America. The 2018 paper drew significant attention to the problem by the general public (through popular media outlets), the cybersecurity and research communities, and various stakeholders in western nations' governments, and yet the lesson is still unlearned by many of the same nations currently being victimized by China Telecom illicit activity and other BGP hijacks.

Dec. 22, 2021

The Need for National Cyber Insurance - A Lesson to be Relearned

Securing a nation’s cyber borders requires a high degree of coordination and openness among the relevant units, including real-time information sharing and threat assessment. Unfortunately, however, not only is there little incentive for private sector entities to voluntarily offer the necessary level of cooperation, but policy makers in free societies are reluctant to force such measures on them. Even more unfortunate is the fact that the threats are real, substantial, and have the capacity to have an adverse impact far beyond the initial point of incursion. This raises the question as to whether or not there exist yet-to-be learned lessons that could point us toward a means of motivating businesses and other institutions to accept what would otherwise be unwelcome intrusion and expense.