Risk
10/12/2009
11:49 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyberwar Readiness Recast As Low Priority

Preparedness for cyberwar should have a place in U.S. defense planning, but resources are better spent on bolstering potentially vulnerable infrastructure, according to think tank RAND.

The U.S. government should not make cyberwarfare a priority investment area, according to a report from public policy think tank RAND Corp.

The report, which was underwritten by the Air Force, recommends that the government focus instead on shoring up defenses of critical infrastructure like the nation's telecommunications networks, banking systems, and power grid that may be vulnerable to cyber attack.

"Operational cyber war has an important niche role, but only that," the report states.

At best, cyberwarfare operations "can confuse and frustrate operators of military systems, and then only temporarily," the report notes. "The salient characteristics of cyberattacks--temporary effects and the way attacks impel countermeasures--suggest that they be used sparingly and precisely. Attempting a cyberattack in the hopes that success will facilitate a combat operation may be prudent; betting the operation's success on a particular set of results may not be."

The report contends that unlike regular warfare, which aims to break down enemy defenses and morale to get the other side to give in, countries often respond to cyber attacks by hardening their defenses and making them less vulnerable to future attacks. "Casualties are the chief source of the kind of war-weariness that causes nations to sue for peace when still capable of defending themselves--but no one has yet died in a cyber attack," the report says.

Further, cyber attacks often have ambiguous sources that make them difficult to retaliate against or could create new enemies if a source is misidentified. And they only temporarily disarm enemies, since computer equipment can easily be replaced.

The report warns that "non-state actors" could jump into the fray. However, it bases few of its conclusions on such scenarios, even though individuals or loose-knit groups tend to be the more obvious ongoing threat on the Internet.

Despite warnings that cyberwar may have a limited role, the report notes that some investment is appropriate.

"Operational cyberwar has the potential to contribute to warfare -- how much is unknown and, to a large extent, unknowable," it says. "Because a devastating cyber attack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive, it is worth developing."

The Air Force created a dedicated cyber command earlier this year, which became operational in August. That force includes about 6,000 active duty personnel and is expected to have an annual budget exceeding $5 billion.

Read InformationWeek's first-ever analysis of top CIOs in federal, state, and local government, and how they're embracing new expectations. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!