Monday, June 22, 2009

Pyrrhic Tactic

As I assume we all know, a Pyrrhic victory is essentially winning a battle but, in so doing, putting yourself in a situation that is ruinous for your hopes of winning the war.

This post is about two provisions in the Senate Bill 773 – the Cybersecurity Act of 2009 -- which was introduced in the Senate on April 1, 2009. Nothing seems to have happened with it since then.

Section 18 of the proposed Act gives the President the power to do two things I find particularly interesting: One is to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network”. The other is to “order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security”. Cybersecurity Act of 2009 § 18(2) & (3). In discussing these options, I’m going to refer to the first one as “shutdown” and to the second one as “disconnect.”

The bill doesn’t define “cybersecurity emergency” or “critical infrastructure information systems or networks”. Some construe the references to “Federal Government or United States” critical infrastructure information systems or networks as limiting the President’s authority to taking only federal systems offline. I can see that interpretation, but if that’s what the drafters of the bill meant, why didn’t they just say Federal Government critical infrastructure systems or networks, instead of throwing in the “United States” part? It seems to me the inclusion of United States clearly means both provisions apply (i) to Federal Government computer systems AND (ii) to “United States” systems, which I interpret as meaning any systems in U.S. territory (and maybe systems outside U.S. territory that are owned by U.S. citizens) that qualify as “critical infrastructure information” systems. If that interpretation is correct, then this bill would give the President a lot of power.

I can’t find any legislative history or other information that tells me what each of these options is intended to cover (e.g., what would justify the President’s exercising the power bestowed on him by either provision and what, exactly, does it mean to order the shutdown of Internet traffic and/or the disconnection of systems from the Internet?). I assume they’re intended to implement some kind of cyber-duck and cover response to a massive cyberattack, of whatever type (crime, terrorism, warfare) . . . a triage reaction designed to prevent further damage by taking systems offline.

If that’s what it’s intended to be, then it seems a cyber-version of military tactics like an army’s (Army A’s) retreating across a bridge and blowing up the bridge so the enemy (Army B) can’t follow them. That can make sense in a real-world battle, especially if it isn’t important for Army A to use the bridge to go back to the other side of the river.

I’m trying to figure out if a version of that tactic makes sense in the cybersecurity context. I’m going to speculate a bit about that here. I’m afraid it’s going to be pretty uninformed speculation given the lack of definitions and standards in the bill. I assume they’ll be added as it makes its way through Congress. . . . if it does.

In trying to figure out if this tactic makes sense in the cyber context, I’m going to use my blowing up the bridge scenario as a source of analogy. Blowing up the bridge works, as I noted earlier, as long as Army A doesn’t need to recross the river to attack Army B, help out some friendly forces that are being attacked by Army B on the other side, etc. In other words, it’s effective only if it deprives the retreating army, Army A, of something it that doesn’t need at all or doesn’t need enough to preserve it. Whether Army A needs the bridge enough to preserve it depends, of course, on the nature of that need: If Army A only “needs” the bridge in order to go back and attack Army B, then it’s probably not sacrificing much by blowing it up (since we’re assuming Army A was losing in the original battle). If Army A has some other need for the bridge – like using it to reunite with other forces on its side or using it to get to supplies it dearly needs – then the decision to blow up the bridge will be more complicated.

The officer in charge will very carefully have to weigh the advantages and disadvantages of doing so. In weighing those factors, this officer will also have to consider whether Army A has a viable alternative; even if there is a good reason not to blow up the bridge, blowing it up may be the only way Army A can avoid actual or operational annihilation.

And that brings us to the shutdown and disconnect options. While I don’t understand the parameters of either option, I think they probably involve conduct that differs in type and magnitude. Since I don’t really know what those differences are, I’m not going to try to analyze each option separately. Instead, I’m going to speculate about the advisability of using a blow-up-the-bridge strategy in the cybercontext.

To answer that question, we have to resolve the two issues noted above: The first issue is what we lose by doing a shutdown or disconnect. If we don’t lose anything we need, then it at least theoretically becomes a viable option. If we don’t lose anything we really need, then it is still potentially a viable option; if we lose something we really need, then I don’t see how it can be a viable option.

What would we lose if the President did a shutdown or disconnect? We’d lose all or part of our Internet connectivity. Internet connectivity differs from the bridge in the scenario I analyzed above in at least one respect: After Army A crossed the bride and left Army B behind, Army A had no need for the bridge anymore, at least in my original scenario; it had done what it was needed for. I could be missing something, but I don’t think Internet connectivity is like the bridge in the original scenario.

Unlike the bridge, the Internet has many uses, some bad (like the potential for launching cyberattacks), most good. That means we would eliminate some bad (the online equivalent of preventing Army B from using the bridge to catch Army A) but would also eliminate some, maybe a lot of good (using the Internet for all kinds of legitimate uses). I say “maybe a lot of good” because I’m assuming the nature of an attack that justifies a shutdown or disconnect response would already have substantially impaired legitimate uses of the Internet. If the attack had seriously or completely compromised Internet access, then it becomes more and more like the bridge, which could be sacrificed without great loss to Army A.

That brings us to the second issue: Do we have viable alternatives to doing a shutdown or disconnect? As I noted above, even if blowing up the bridge is a costly option, it may be Army A’s only option; if that is the case, then Army A will have to blow up the bridge and live with the consequences of that action.

Since I don’t know what type of scenarios the shutdown and disconnect options are intended to address and/or the scope of a shutdown or disconnect response, I can’t really do much with this issue. It seems like we should have other alternatives, but maybe I say that because I want to believe we do, however pessimistic I tend to be about the current state of cybersecurity.
I think I’m having trouble buying shutdown and disconnect because they remind me of another historical military tactic: the siege. Siege warfare has been around for a long time, but was particularly popular in the Middle Ages. Seems like a good idea: you wall yourself up in a fortress of some kind, hoping your attackers can’t get in before they lose interest and abandon the whole thing. It looks to me like shutdown and disconnect are intended to extrapolate the siege concept to the world of cyberattacks.

When we’re hit with an attack of the appropriate severity, we’ll shut down or disconnect our computer systems and seal ourselves away in our virtual fortress . . . to do what? Wait until the attackers get bored and leave (“leave” virtually, of course)?

That tactic could work when you were sealed in a physical fortress with (you hoped) all the food and water and other supplies you needed to wait out an attacker. I don’t see how it can work in a world in which we depend on networked computer systems for all kinds of things, many of which are essential to our survival. If shutdown and disconnect are intended to extrapolate siege warfare to the cybercontext, then I think they represent a very flawed strategy.

No comments: