Fight the cold cyberwar with analytics
Malware—malicious code—does not exist. “Now, wait a second,” you say, “news reports of a new cyberattack seem to occur every day. How can there be no such thing as malware?”
For code to be malicious, it would have to know the difference between right and wrong, which isn’t possible—at least as long as networks do not become self-aware as Skynet did at 2:14 a.m. ET on August 29, 1997 in the 1991 summer blockbuster, Terminator 2: Judgment Day.
That’s the good news. The bad news, however, is that there is no shortage of malicious coders, programmers, criminal organizations, nation states and the like. They create and weaponize code to attack networks and infrastructure, compromise data security and steal critical military intelligence and priceless research and development (R&D).
These degenerates live in the physical world, and many of them are recidivists or known bad actors. They have affiliations, travel histories, records and other data. They write blog posts and have Facebook pages. Some of the worst offenders are hidden by multiple degrees of separation from the actual coders, or script-kiddies, that do their bidding. The kind of background and expertise that analysts need to identify the attacker falls outside the realm of what is traditionally considered cyberdata—log data, NetFlow data, signatures and so on. Rather, it resides in the physical realm of watch lists, derogatory data sources, geospatial sources, social media and demographics.
A shift needs to be made from focusing not just on the attack, but on the attacker as well. This shift in thinking allows cyber defenders to take investigations to the next level. That level goes beyond the attacking machine, or type of attack, to the source of the attack. Specifically, it needs to look into who is behind the attacking machine, who is at the keyboard, who employs the attacker, where the attacker has been and where the attacker is now.
The ability to attribute the attack to the attacker is critical to any active cyber defense measure and the key to deterrence. Consider the Mutually Assured Destruction (MAD) doctrine as part of the Cold War–era doctrine between the United States and Soviet Union. Because both nations were capable of attacking and destroying each other, each would know as soon as an attack was launched where it came from and who did it. Based on the theory of deterrence, the known consequences, in large part, kept either side from engaging in an attack on the other.
Maybe a little bit of Cold War thinking is what is needed in the current cold cyberwarfare that exists today. Attacker attribution is the only way one state can hold another state responsible for an attack. Without it, no consequences exist, and the lack of penalty can only make bad actors bolder than ever. What is cold cyberwarfare today could very well become hot cyberwarfare tomorrow.