Risk
10/12/2009
11:49 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyberwar Readiness Recast As Low Priority

Preparedness for cyberwar should have a place in U.S. defense planning, but resources are better spent on bolstering potentially vulnerable infrastructure, according to think tank RAND.

The U.S. government should not make cyberwarfare a priority investment area, according to a report from public policy think tank RAND Corp.

The report, which was underwritten by the Air Force, recommends that the government focus instead on shoring up defenses of critical infrastructure like the nation's telecommunications networks, banking systems, and power grid that may be vulnerable to cyber attack.

"Operational cyber war has an important niche role, but only that," the report states.

At best, cyberwarfare operations "can confuse and frustrate operators of military systems, and then only temporarily," the report notes. "The salient characteristics of cyberattacks--temporary effects and the way attacks impel countermeasures--suggest that they be used sparingly and precisely. Attempting a cyberattack in the hopes that success will facilitate a combat operation may be prudent; betting the operation's success on a particular set of results may not be."

The report contends that unlike regular warfare, which aims to break down enemy defenses and morale to get the other side to give in, countries often respond to cyber attacks by hardening their defenses and making them less vulnerable to future attacks. "Casualties are the chief source of the kind of war-weariness that causes nations to sue for peace when still capable of defending themselves--but no one has yet died in a cyber attack," the report says.

Further, cyber attacks often have ambiguous sources that make them difficult to retaliate against or could create new enemies if a source is misidentified. And they only temporarily disarm enemies, since computer equipment can easily be replaced.

The report warns that "non-state actors" could jump into the fray. However, it bases few of its conclusions on such scenarios, even though individuals or loose-knit groups tend to be the more obvious ongoing threat on the Internet.

Despite warnings that cyberwar may have a limited role, the report notes that some investment is appropriate.

"Operational cyberwar has the potential to contribute to warfare -- how much is unknown and, to a large extent, unknowable," it says. "Because a devastating cyber attack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive, it is worth developing."

The Air Force created a dedicated cyber command earlier this year, which became operational in August. That force includes about 6,000 active duty personnel and is expected to have an annual budget exceeding $5 billion.

Read InformationWeek's first-ever analysis of top CIOs in federal, state, and local government, and how they're embracing new expectations. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.