New Strategies to Meet the Threat of Cyberwar
As long as nations rely on computer networks as a foundation for their military power, and as long as such computer networks are accessible to the outside, they are at risk from enemy operations. With the U.S. Senate poised to debate cybersecurity legislation, the policy debate about cybersecurity seems to have taken center stage. In fact, the President himself recently declared that the "cyber threat is one of the most serious economic and national security challenges we face as a nation."
Although cybersecurity threats are real, does that mean that cyberspace is a medium like other media--such as air and space--that can be controlled in any meaningful sense of the word or that can realistically alter the military balance of power? A RAND Corporation study sought to answer this question, focusing on the policy dimensions of cyberwar: what it means, what it entails, and whether it is possible to deter others from resorting to it.
The study found that cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy's vulnerabilities. Permanent effects from cyberattacks are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do it again. Something that works today may not work tomorrow (indeed, precisely because it did work today, the vulnerability has likely been "patched").
As for deterrence, the study found that, given the nature of cyberattacks, deterrence and warfighting tenets established in other media, such as air and space, do not necessarily translate reliably to cyberspace. Responses to a cyberattack must weigh many factors. For example, unlike in a conventional or nuclear attack, there is the question of when a cyberattack target should reveal that it has been hit; in some cases, the damage may be obvious, while in others it may not, and the damage itself may not lead to a sudden loss of service. Revelation of an attack is needed to justify public retaliation, but trumpeting an attack may foster panic, reduce confidence in systems as they are being fixed, and make it difficult to carry out nonconfrontational strategies or nonpublic retaliatory strategies.
Given such differences, the report concludes that the tenets of deterrence need to be rethought. In particular, it argues that before contemplating deterrence as its primary response to the threat of state-sponsored cyberattacks, the United States may first want to exhaust other approaches, such as diplomatic, economic, and prosecutorial means. At very least, the topic needs far more careful consideration than it has received to date.
What Influences Organizations to Adopt Multifactor Authentication?
Most organizations primarily use passwords to authenticate users on computer systems, but passwords are proving less and less capable of protecting such systems from abuse. Multifactor authentication (MFA)--which combines something you know (e.g., a personal identification number, or PIN), something you have (e.g., a token), and/or something you are (e.g., a fingerprint)--is increasingly common. This raises the following questions: What factors account for organizations' decisions to use, or alternatively, to reject MFA in favor of passwords or other forms of single-factor authentication, and among those that require MFA, where do they use it, and what factors do they require for various types of system access?
A RAND Corporation report seeks to answer these questions. Based on literature reviews and structured conversations with selected organizations that use or have contemplated using MFA, the authors made a number of findings, which included the following:
- MFA choices largely depend on which sector an organization is in (for example, the Department of Defense and federally funded research and development centers, health care, or financial services).
- User resistance after implementation is a nonissue, so far.
- MFA adoption tends to "stick," with no organization that adopted MFA later having changed its mind.
- Tokens that generate one-time passwords, rather than biometric approaches, predominate.
- MFA tends to be part of a broader security architecture, such as implementing more-intensive monitoring and intrusion-detecting systems, closing unnecessary communication ports, curtailing administrative privileges or access from certain locations or machines, and improving physical security.
- Future plans favor wider MFA use.
- Compulsion and customer expectations tend to drive MFA adoption.
The report makes a number of recommendations, including that the U.S. government should, with National Institute of Standards guidance, develop methodologies by which the costs and benefits of mandating MFA for specific activities can be evaluated; that while promoting interoperability standards is worthwhile, expectations of the benefits of doing so should be tempered; and that research is needed to allow MFA to continue to provide its benefits given the increasing threat that user computers may be suborned by hackers.
|
RESEARCHER PROFILES
Martin Libicki
 |
Martin Libicki is a senior management scientist at the RAND Corporation. His research focuses on the impacts of information technology on domestic and national security. This work is documented in commercially published books, e.g., Conquest in Cyberspace: National Security and Information Warfare (Cambridge University Press, 2007) and Information Technology Standards: Quest for the Common Byte (Digital Press, 1995) as well as in numerous monographs, notably How Insurgencies End (with Ben Connable, 2010), Cyberdeterrence and Cyberwar (2009), How Terrorist Groups End: Lessons for Countering al Qa'ida (with Seth G. Jones, 2008), Exploring Terrorist Targeting Preferences (with Peter Chalk and Melanie W. Sisson, 2007), and Who Runs What in the Global Information Grid (2000). His most recent research involved organizing the U.S. Air Force for cyberwar, exploiting cell phones in counterinsurgency, developing a post-9/11 information technology strategy for the U.S. Department of Justice, using biometrics for identity management, assessing the Terrorist Information Awareness program of the Defense Advanced Research Project Agency, conducting information security analysis for the FBI, and evaluating In-Q-Tel. Prior to joining RAND, Libicki spent 12 years at the National Defense University, three years on the Navy staff as program sponsor for industrial preparedness, and three years as a policy analyst for the U.S. General Accounting Office's Energy and Minerals Division. Libicki received his Ph.D. in economics from the University of California, Berkeley.
Read more about Martin Libicki »
|
RAND CONGRESSIONAL RESOURCES STAFF
Lindsey Kozberg
Vice President, Office of External Affairs
Winfield Boerckel
Director, Office of Congressional Relations
Laura Selway
Homeland Security Legislative Analyst
RAND Office of Congressional Relations
(703) 413-1100, ext. 5395
|
SUBSCRIPTIONS
To unsubscribe, please write to ocr@rand.org or call (703) 413-1100, ext. 5395.
Members of Congress and staff may receive a free copy by writing to ocr@rand.org or calling (703) 413-1100, ext. 5395.
RAND can also provide briefings, research assistance, testimony, and other services to Congressional offices.
|
|
