52 September 2003/Vol. 46, No. 9 COMMUNICATIONS OF THE ACM
BYO SAMISAYDJARI CyBER DEFENS E ART TO SCIENCE Seeking the knowledge and means to more methodically detect, defend against and better understand attacks on networked computer resources ILLUSTRATION BY magine that you lead an organization under cyber attack on ROBERT NEUBECKER lyour critical information systems. What questions are you likely Am I under attack; what is its nature and ori What are the attackers doing; what might they do next? How does it affect my mission? that will be effective against this attack? What can I do about it; what are my options How do I choose the best option? How do i prevent such attacks in the future Unfortunately, today we must often answer, We dont know and we have no way of knowing. "Informally, it is in being able to answer these basic questions that we find the meaning of the term cyber defense. More formally, we can define cyber defense from its component words. Cyber, short for cyberspace, refers to both networked infra- structure(computers, routers, hubs, switches, and firewalls) and the information assets(critical data on which an organization depends to carry out its mission). Defense is the act of making safe rom attack. Therefore, cyber defense refers to an active process of dependably making critical function safe from attac COMMUNICATIONS OF THE ACM March 2004/Vol 47. No.3 53
COMMUNICATIONS OF THE ACM March 2004/Vol. 47, No. 3 53 I magine that you lead an organization under cyber attack on your critical information systems. What questions are you likely to ask? Am I under attack; what is its nature and origin? What are the attackers doing; what might they do next? How does it affect my mission? What defenses do I have that will be effective against this attack? What can I do about it; what are my options? How do I choose the best option? How do I prevent such attacks in the future? Unfortunately, today we must often answer, “We don’t know and we have no way of knowing.” Informally, it is in being able to answer these basic questions that we find the meaning of the term cyber defense. More formally, we can define cyber defense from its component words. Cyber, short for cyberspace, refers to both networked infrastructure (computers, routers, hubs, switches, and firewalls) and the information assets (critical data on which an organization depends to carry out its mission). Defense is the act of making safe from attack. Therefore, cyber defense refers to an active process of dependably making critical function safe from attack. CYBER DEFENSE: ART TO SCIENCE illustration by robert neubecker BY O. SAMI SAYDJARI Seeking the knowledge and means to more methodically detect, defend against, and better understand attacks on networked computer resources
Elements of Cyber Defense in models of real systems with mock adversaries. Defense in cyberspace is as complex as traditional Cyber science and engineering is the foundation warfare--it has the same key elements, corresponding yielding an understanding of design, composition, to the basic questions listed at the beginning of this building, and maintenance of effective defense sys- rticle:sensors and exploitation; situation awareness; tems. Currently, this foundation is dangerously defensive mechanism: command and control: strat- weak to the extent that it exists at all egy and tactics; and science and engineering. Simply put, one needs the knowledge and means to defend Dynamic Defense Is Imperative oneself. detect and understand attacks, and make tatic preventive techniques, while impor- good decisions about defense configuration. Each of tant,are inadequate. In the design of the six elements are discussed in more detail here trustworthy cyber defense systems, there Cyber sensors and exploitation are the eyes"of the system; they determine the attack capability, performance, and functionality. The plans, and actions of an adversary--the essential security dimension itself has at least three first step to any dynamic defense. A primitive form components: confidentiality, data integrity, and of determining adversary actions is what we today availability. One cannot statically optimize all call intrusion detection. To succeed we must dimensions with respect to all attacks. For exam acknowledge that attacks will sometimes succeed ple, although spreading many copies of data and adversaries will get inside the system. To assume around a system can hinder denial-of-service otherwise is foolish attacks, it exacerbates the confidentiality problem Cyber situation awareness is a process that by creating more targets of opportunity for the transforms sensed data into a decision aid by inter- attacker. At the higher level, security functions preting mission consequences and the context of often degrade both performance and functionalit other activity. For example, situation awareness One would rather not have to incur these costs might tell us that attack A will disable the organiza- unless under attack, just as soldiers do not put or tions logistics function for three days and that the chemical suits unless there is a known threat of ttack is pandemic and is thus not targeting our chemical attack on the battlefield organization specifically We need to create systems that make explicit Cyber defensive mechanism is technology to trade-offs within this space both at design time and counter threats. Historically, cyber defense has its at operation time--dynamically moving within the roots in this element, with cryptography countering trade-off space depending on the situation. We ntercepted secret messages, virus scanners counter- also, therefore, need systems capable of quickly ng viruses, and firewalls countering hacker exploita- ascertaining the situation so the correct trade-offs tions. Although this element is an important can be made. building block, professionals must extend their understanding beyond the cyber defense mechanism The Art of war-Strategy and Tactics to see the bigger picture yber attacks are becoming sophisticated Cyber command and control is the process of mak- attackers routinely use attack design ing and executing decisions--orchestrating defensive toolkits, apply stealth techniques, and systems, based on input from the situation awareness target an increasing spectrum of proto- element. Command decision making requires an cols and applications. Cyber attackers are understanding of options based on the situation, and learning to actively evade countermea- the means to evaluate them quickly [12] Control sures. Soon they will develop sophisticated tactics requires a system to communicate the decisions andand will evolve toward strategic campaigns using execute them reliably throughout the system. multi-pronged attacks against strategic obJective Cyber strategies and tactics is knowledge of what Moreover, attackers have the advantage because they constitutes a good decision in terms of initial defen- can carefully plan and choose the best time and the sive policies and configurations as well as changes weakest points at which to attack. Creating defenses needed during operations because of attack situations. capable of thwarting such attacks will take years; we Ideally, such knowledge is based on a wealth of his- cannot afford to wait until we see cyber attack meth- torical experiences, but we prefer not to sustain the ods evolve to this level damages required to gain real cyber battlefield experi- At the same time, defensive mechanisms are prolif- ence. As a substitute, we must begin developing erating and becoming increasingly complex--exceed strategies and tactics and testing them expe ntally ing our ability to understand how best to configure 54 March 2004/Vol 47. No. 3 COMMUNICATONS OF THE ACM
54 March 2004/Vol. 47, No. 3 COMMUNICATIONS OF THE ACM Elements of Cyber Defense Defense in cyberspace is as complex as traditional warfare—it has the same key elements, corresponding to the basic questions listed at the beginning of this article: sensors and exploitation; situation awareness; defensive mechanism; command and control; strategy and tactics; and science and engineering. Simply put, one needs the knowledge and means to defend oneself, detect and understand attacks, and make good decisions about defense configuration. Each of the six elements are discussed in more detail here. Cyber sensors and exploitation are the “eyes” of the system; they determine the attack capability, plans, and actions of an adversary—the essential first step to any dynamic defense. A primitive form of determining adversary actions is what we today call intrusion detection. To succeed we must acknowledge that attacks will sometimes succeed and adversaries will get inside the system. To assume otherwise is foolish. Cyber situation awareness is a process that transforms sensed data into a decision aid by interpreting mission consequences and the context of other activity. For example, situation awareness might tell us that attack A will disable the organization’s logistics function for three days and that the attack is pandemic and is thus not targeting our organization specifically. Cyber defensive mechanism is technology to counter threats. Historically, cyber defense has its roots in this element, with cryptography countering intercepted secret messages, virus scanners countering viruses, and firewalls countering hacker exploitations. Although this element is an important building block, professionals must extend their understanding beyond the cyber defense mechanism to see the bigger picture. Cyber command and control is the process of making and executing decisions—orchestrating defensive systems, based on input from the situation awareness element. Command decision making requires an understanding of options based on the situation, and the means to evaluate them quickly [12]. Control requires a system to communicate the decisions and execute them reliably throughout the system. Cyber strategies and tactics is knowledge of what constitutes a good decision in terms of initial defensive policies and configurations as well as changes needed during operations because of attack situations. Ideally, such knowledge is based on a wealth of historical experiences, but we prefer not to sustain the damages required to gain real cyber battlefield experience. As a substitute, we must begin developing strategies and tactics and testing them experimentally in models of real systems with mock adversaries. Cyber science and engineering is the foundation yielding an understanding of design, composition, building, and maintenance of effective defense systems. Currently, this foundation is dangerously weak to the extent that it exists at all. Dynamic Defense Is Imperative S tatic preventive techniques, while important, are inadequate. In the design of trustworthy cyber defense systems, there is a three-way trade-off among security, performance, and functionality. The security dimension itself has at least three components: confidentiality, data integrity, and availability. One cannot statically optimize all dimensions with respect to all attacks. For example, although spreading many copies of data around a system can hinder denial-of-service attacks, it exacerbates the confidentiality problem by creating more targets of opportunity for the attacker. At the higher level, security functions often degrade both performance and functionality. One would rather not have to incur these costs unless under attack, just as soldiers do not put on chemical suits unless there is a known threat of chemical attack on the battlefield. We need to create systems that make explicit trade-offs within this space both at design time and at operation time—dynamically moving within the trade-off space depending on the situation. We also, therefore, need systems capable of quickly ascertaining the situation so the correct trade-offs can be made. The Art of War—Strategy and Tactics C yber attacks are becoming sophisticated; attackers routinely use attack design toolkits, apply stealth techniques, and target an increasing spectrum of protocols and applications. Cyber attackers are learning to actively evade countermeasures. Soon they will develop sophisticated tactics and will evolve toward strategic campaigns using multi-pronged attacks against strategic objectives. Moreover, attackers have the advantage because they can carefully plan and choose the best time and the weakest points at which to attack. Creating defenses capable of thwarting such attacks will take years; we cannot afford to wait until we see cyber attack methods evolve to this level. At the same time, defensive mechanisms are proliferating and becoming increasingly complex—exceeding our ability to understand how best to configure
each mechanism and the aggregate of mechanisms. some of the key differences. Physical space is three- To effectively manage all the defensive elements, dimensional; cyberspace is hyper-dimensional, mak one needs strategy and tactics. Because we have little ing maneuvering complex. Physical weapon effects ppl Cyberspace, we must look to analogy. We are predictable and constrained by physics; cyber history in analogies from the weaponry is difficult to pre- battlefield [9. For example, Performance dict,often having non-linear he battlefield concept of forc damaging effects. Physic ing an adversary into disad- attacks occur at human-per vantageous terrain has a ceptible speeds; some cyber cyberspace analogue of attacks may aggregate too arranging one's defensive slowly to be perceived, while chitecture to force adver many others could occur in saries into the" sweet spots"of Security milliseconds, making all of their intrusion detection algo- Functionality them outside the realm of rithms. The battlefield con possible human reaction cept of deception has the times. Physical attacks often cyberspace analogue of creating false cyber targets Figure 1. Dynamic design have clear manifestations (also known as honey pots)and misleading configu- and operating trade-off ber attacks can be difficult rations to detect, making damage Similarly, one may borrow from the realm of strate- assessment problematic. gic game playing. The game" of war is extraordinar- ily complex because of the great variety of moves, Science and Technology Deficits changing rules, and changing capabilities. Yet, some To achieve a viable cyber defense capability, we need general principles apply, especially as a human deci- many advances in both science and technology. Here ion aid [3]. Determining the right strategic decisions are a few. is best performed by creative well-informed humans. We must learn how to create trustworthy systems This makes cyber defense a matter of art, supported from untrustworthy components [1]. Trustworthy sys- by science, not a matter for total automation. There- tems are the building blocks of good cyber defense fore, we should focus on The need to create them automating the mundane tasks Mission from untrustworthy compo- and providing decision aids to nents arises from two lified humans for the→ System Design sources: the vulnerable com- strategic decision making puter systems that consumers To develop strategy and tac Adversary habitually choose and basic cs we accumulate hypotheses based on analogy, and then val itermeasure Effectivene tions. Trustworthiness. like idate them. We can gain exp reliability, is not just in the rience through simulation on compo th accurate models of our critical glue" that holds the compo systems InteractI nents together. Therefore, we human decision makers need to understand how fi achieve trustworthiness experiments within these models. Adversaries must Figure 2. Cyber defense through architectures. With- be accurately modeled using our best red teams. Our system design models his,we will be building strategy and tactics--our cyber defense playbook- castles in the sand viable approaches have need to be validated in such simulations to yield the been identified [5] and should be pursued with knowledge to defend our critical cyberspace from vigor sophisticated attack. We must learn how to defend Intrusion detection needs to get a whole lot better. It against how real attackers will attack. is inadequate to employ a detect-respond paradigm Although there is much to be learned from phys- Recent attacks such as Slammer and Code-Red are ical war strategy and tactics, there are other areas just too fast for today's systems, which are based on where the differences are big enough to require a detecting signatures of previously detected attacks completely new way of thinking about strategy and Experimental schemes to identify attacks based on tactics in cyberspace. As a word of caution, consider detecting anomalies deviating from"normal"activity COMMUNICATIONS OF THE ACM March 2004/Vol 47, No. 3 55
COMMUNICATIONS OF THE ACM March 2004/Vol. 47, No. 3 55 each mechanism and the aggregate of mechanisms. To effectively manage all the defensive elements, one needs strategy and tactics. Because we have little history in cyberspace, we must look to analogy. We can apply analogies from the battlefield [9]. For example, the battlefield concept of forcing an adversary into disadvantageous terrain has a cyberspace analogue of arranging one’s defensive architecture to force adversaries into the “sweet spots” of their intrusion detection algorithms. The battlefield concept of deception has the cyberspace analogue of creating false cyber targets (also known as honey pots) and misleading configurations. Similarly, one may borrow from the realm of strategic game playing. The “game” of war is extraordinarily complex because of the great variety of moves, changing rules, and changing capabilities. Yet, some general principles apply, especially as a human decision aid [3]. Determining the right strategic decisions is best performed by creative well-informed humans. This makes cyber defense a matter of art, supported by science, not a matter for total automation. Therefore, we should focus on automating the mundane tasks and providing decision aids to qualified humans for the strategic decision making. To develop strategy and tactics we accumulate hypotheses based on analogy, and then validate them. We can gain experience through simulation on accurate models of our critical systems interacting with human decision makers. We must engage in many scientific experiments within these models. Adversaries must be accurately modeled using our best red teams. Our strategy and tactics—our cyber defense playbook— need to be validated in such simulations to yield the knowledge to defend our critical cyberspace from sophisticated attack. We must learn how to defend against how real attackers will attack. Although there is much to be learned from physical war strategy and tactics, there are other areas where the differences are big enough to require a completely new way of thinking about strategy and tactics in cyberspace. As a word of caution, consider some of the key differences. Physical space is threedimensional; cyberspace is hyper-dimensional, making maneuvering complex. Physical weapon effects are predictable and constrained by physics; cyber weaponry is difficult to predict, often having non-linear damaging effects. Physical attacks occur at human-perceptible speeds; some cyber attacks may aggregate too slowly to be perceived, while many others could occur in milliseconds, making all of them outside the realm of possible human reaction times. Physical attacks often have clear manifestations; cyber attacks can be difficult to detect, making damage assessment problematic. Science and Technology Deficits To achieve a viable cyber defense capability, we need many advances in both science and technology. Here are a few. We must learn how to create trustworthy systems from untrustworthy components [1]. Trustworthy systems are the building blocks of good cyber defense. The need to create them from untrustworthy components arises from two sources: the vulnerable computer systems that consumers habitually choose and basic system engineering limitations. Trustworthiness, like reliability, is not just in the components, but in the “glue” that holds the components together. Therefore, we need to understand how to achieve trustworthiness through architectures. Without this, we will be building castles in the sand. Some viable approaches have been identified [5] and should be pursued with vigor. Intrusion detection needs to get a whole lot better. It is inadequate to employ a detect-respond paradigm. Recent attacks such as Slammer and Code-Red are just too fast for today’s systems, which are based on detecting signatures of previously detected attacks. Experimental schemes to identify attacks based on detecting anomalies deviating from “normal” activity Security Functionality Performance System Design Adversary Updated System Designs Countermeasure Effectiveness Mission Likely Attacks No Yes Acceptable Figure 1. Dynamic design and operating trade-off space. Figure 2. Cyber defense system design models
have unacceptably high false-alarm rates and rela- rapidly growing as collaboration becomes the norm tively poor coverage of the attack spa Further, accomplishing organization goals these schemes often use data from originally On a final note, even if we make the required sci- designed for auditing security-relevant events, not for entific and technological advances, we still must find detecting attacks. Viable detection requires ground- ways to better integrate technology results into main sis of how attacks manifest, custom design of stream products and systems. Industrys and govern- sensors that exploit these manifestations, proper clas- ment's track record of employing useful technology sification algorithms for categorizing relevant events, results from research has been poor so far. For exam and detection algorithms that measurably [11] cover ple, solutions to defend the vulnerable Domain Nam- the entire attack space. ing Service and the Border gateway Protocol have Intrusion response must be developed so that actions been available for several years now, but have yet to be are timely and effective. We need some degree of incorporated into the network infrastructure autonomic response for attacks that are too fast fo the human decision cycle. We also must develop Creating a Systems Engineering Discipline decision aids for enumerating situation-dependent courses of action as well as means to evaluate those defended system is matter of- a well- ck art. One courses of action. Using human anatomy as an anal simply hopes designers were adequately ogy, we need both the autonomic and the central knowledgeable about the range of relevant nervous system, and they must work together to attacks and that they did an adequate job of create a systematic defense defending against those attacks. W e must Defending against distributed denial-of-service evolve toward a systems engineering discipline, which attacks is needed to ensure availability. Cutting off the urgently requires several elements many attack paths available to attackers often cuts What gets measured gets done. Without adequate off the very availability that one is trying to preserve. metrics to assess the performance of cyber defense Further, traditional security and reliability remedies systems, progress is impossible to judge. Some prim often worsen the problem Solutions will almost cer- itive metrics have been proposed [10], but much tainly require that quality of service capabilities are more work remains to be done added to the internet Ve need a spectrum of system models and an Countering life-cycle attacks is essential to trustwor- engineering framework analogous to the thiness. If adversaries can infiltrate software develop- CAD/CAM framework used by hardware engineer ment teams and insert malicious code into systems The community needs adequate threat models, while the software is developed, they can subvert what- adversary models [7], mission models, and counter- ever trust that was established. For modern software, measure effectiveness models. Each type of model the development process and the resulting code are will require tremendous energy to produce, yet little very complex, therefore making preventing and effort is under way in these arenas detecting subversion extraordinarily difficult. Finally, a methodology to quantitatively trade off Nonetheless, we must develop techniques to detect design factors and achieve a specified system result is and eradicate malicious code embedded in our code. needed. a vision for such a framework should be or find ways to architecturally neutralize it. established and it should be realized with dispatch Scientific experimental computer science is needed a make real progress. Much of the knowledge in cyber Achieving a National Cyber Defense defense today has the status of hypothesis rather Capability than fact. Some have significant evidence in their o far, Ive described cyber defense in the favor, yet they are still hypotheses. We need experi- abstract, the principles of which apply at mental methods, based on solid metrics, isolating all scales. Here. I examine and discuss single variables at a time, to convert these hypothe- cyber defense at the macro scale of ses into knowledge. Only this will create the fir defending the national critical informa research foundation needed to enable a sound n infrastructure. To understand what research track suffices as a defense, one needs to understand vul Controlled information sharing is needed more than nerabilities and the consequences of failure. That ever. Computer security has its roots in the require- the threat is serious has been established [6]. If the ment for Multilevel Security(MLS) processing. The reader has any doubts as to the gravity of the prob need continues for controlled sharing among groups lem, consider the major damage done by acciden of differing trust relationships. Further, the need is tal failures of the telephone system, the power grid, 56 March2004/v.47.No.3 TONS OF THE ACM
have unacceptably high false-alarm rates and relatively poor coverage of the attack space [2]. Further, these schemes often use data from sensors originally designed for auditing security-relevant events, not for detecting attacks. Viable detection requires groundup analysis of how attacks manifest, custom design of sensors that exploit these manifestations, proper classification algorithms for categorizing relevant events, and detection algorithms that measurably [11] cover the entire attack space. Intrusion response must be developed so that actions are timely and effective. We need some degree of autonomic response for attacks that are too fast for the human decision cycle. We also must develop decision aids for enumerating situation-dependent courses of action, as well as means to evaluate those courses of action. Using human anatomy as an analogy, we need both the autonomic and the central nervous system, and they must work together to create a systematic defense. Defending against distributed denial-of-service attacks is needed to ensure availability. Cutting off the many attack paths available to attackers often cuts off the very availability that one is trying to preserve. Further, traditional security and reliability remedies often worsen the problem. Solutions will almost certainly require that quality of service capabilities are added to the Internet. Countering life-cycle attacks is essential to trustworthiness. If adversaries can infiltrate software development teams and insert malicious code into systems while the software is developed, they can subvert whatever trust that was established. For modern software, the development process and the resulting code are very complex, therefore making preventing and detecting subversion extraordinarily difficult. Nonetheless, we must develop techniques to detect and eradicate malicious code embedded in our code, or find ways to architecturally neutralize it. Scientific experimental computer science is needed to make real progress. Much of the knowledge in cyber defense today has the status of hypothesis rather than fact. Some have significant evidence in their favor, yet they are still hypotheses. We need experimental methods, based on solid metrics, isolating single variables at a time, to convert these hypotheses into knowledge. Only this will create the firm research foundation needed to enable a sound research track. Controlled information sharing is needed more than ever. Computer security has its roots in the requirement for Multilevel Security (MLS) processing. The need continues for controlled sharing among groups of differing trust relationships. Further, the need is rapidly growing as collaboration becomes the norm in accomplishing organization goals. On a final note, even if we make the required scientific and technological advances, we still must find ways to better integrate technology results into mainstream products and systems. Industry’s and government’s track record of employing useful technology results from research has been poor so far. For example, solutions to defend the vulnerable Domain Naming Service and the Border Gateway Protocol have been available for several years now, but have yet to be incorporated into the network infrastructure. Creating a Systems Engineering Discipline T oday, the process of designing a welldefended system is matter of black art. One simply hopes designers were adequately knowledgeable about the range of relevant attacks and that they did an adequate job of defending against those attacks. We must evolve toward a systems engineering discipline, which urgently requires several elements. What gets measured gets done. Without adequate metrics to assess the performance of cyber defense systems, progress is impossible to judge. Some primitive metrics have been proposed [10], but much more work remains to be done. We need a spectrum of system models and an engineering framework analogous to the CAD/CAM framework used by hardware engineers. The community needs adequate threat models, adversary models [7], mission models, and countermeasure effectiveness models. Each type of model will require tremendous energy to produce, yet little effort is under way in these arenas. Finally, a methodology to quantitatively trade off design factors and achieve a specified system result is needed. A vision for such a framework should be established and it should be realized with dispatch. Achieving a National Cyber Defense Capability S o far, I’ve described cyber defense in the abstract, the principles of which apply at all scales. Here, I examine and discuss cyber defense at the macro scale of defending the national critical information infrastructure. To understand what suffices as a defense, one needs to understand vulnerabilities and the consequences of failure. That the threat is serious has been established [6]. If the reader has any doubts as to the gravity of the problem, consider the major damage done by accidental failures of the telephone system, the power grid, 56 March 2004/Vol. 47, No. 3 COMMUNICATIONS OF THE ACM
and banking. Any failures that can happen by acci- its information infrastructure. Sound policy would dent can likely be induced by an attacker, with sig- reduce the rate at which that dependency is increas- nificantly more damage potential [4]. The degree ing and find ways to minimize the risk as an interim of that risk is hotly debated among leading profes- measure. sionals,but, unfortunately, opinions are founded Finally, I note that achieving a national cyber almost entirely on speculation, as scientific study of defense capability has the potential of infringing on this question has yet to be seriously undertaken. citizen privacy in the effort to detect malicious net Such a study is a matter of utmost urgency to our work-based activity. The U.S. national policy must government because the nature and scope of a be to avoid abrogating the very rights it is intending national cyber defense capability must be grounded to protect in a full comprehension of the susceptibility of our systems Conclusion Engineering Cyber Defense-Manbattan Project. Cyber defense poses serious technical and policy The National Strategy to Defend Cyberspace challenges for the U.S. Much work lies ahead in cre (released in February 2003) implies that market ating a stronger scientific foundation, the required forces will be adequate to defend at the national technology for national-scale cyber defense, and an scale. This is unlikely to be true [8]. By the same rea- engineering discipline to provide the means. Policy soning, market forces would be adequate to defend should follow scientifically based knowledge and people, buildings, and towns against kinetic war. We understanding: gaining that understanding should can wish for that to be true. We can observe that we now be the primary objective. C need a certain level of strength to survive normal stresses of life and that this strength provides some R measure of defense against trivial attacks. The 1. Committee on Information Systems Trustworthiness, National notion that such protection levels would withstand a Research Council. Trust in Cyberspace. National Academy Press, Wash- nation-state attack is obviously absurd. Why then 2. Haines, J, Ryder, D, Tinnel, L, and Taylor, S. Validation of sensor would this be different in cyberspace? Only a alert correlators. IEEE Security and Privacy I (an /Feb. 2003), 45-56. Hamilton, S N, Miller, W L, Ott, A, and Saydjari, O.S. The role of national scientific study will tell us for sure, but intu- game theory in information warfare. In Proceedings of theThe Fourth Inf itiontellsusthatanengineeringcapabilityisalmost4.lEttertoPresidentBush,fEbruary27,2002:www.uspcd.org/ certainly needed letter. html How might a national cyber defense capability be 5. Neumann, P Principled Assuredly Trustworthy Composable Architectures engineered? What is clear is that this is a very diffi DRaftFinalrePort(oCt.2003);www.csl.sri.com/users/neumann/ chats. Pe ult problem. Some of the requisite technology does 6. President's Commission on Critical Infrastructure Protection. Critical not yet exist. Yet, all indications are that such a capa- Foundations: Protecting America s nfrastructure. Washington, D. C. bility is urgent. It therefore seems reasonable to ded Toward a secure cate the finest scientific and ing minds toward a concerted effort to develop the capability 8. Saydjari, O.S. Defending syberspace. IEEE Computer 35(Dec. 2002). within three years. We need a project in the style of125 the Manhattan Project with the requisite national 9 Saydjari, O,Tinnel, L, and Farrell, D. Cyberwar strategy and tactics: priority, resource levels, and structure. Anything less An anal rategies, tactics, and techniques. In Pro- will likely stumble. History has shown us that a dis- 2002, U.S. Military Academy,West Point,NY tributed lower-priority investment has failed to cre- 10. Schudel, G. and wood, B. Adversar work factor as a metric for infor- ate the needed capability despite more than three 2000), ACM Press, New York, 2001 decades of research and development Sound National Cyber Defense Policy. Sound standing the problem, its solutions, and the nature 12. Tinnel, L, aydin. n 2003) 96-110 of cyber conflicts from economic, behavioral, and Exposition, April 2003, Crystal Ciry, lA, Survivability Conference and olitical perspectives. Unfortunately, our under standing is currently quite limited. In such a cir- cumstance, a sound policy would be to place high Ceo of Cyber defense Agency, LlC(wWw. cyber defenSeagency priority and urgency on gaining a deep understand- com)and chairman of the Professionals for Cyber Defense ing of all these areas Furthermore, the U.S. would benefit by acknowl dging that its survival and function now depend on o 2004 ACM0002-0782/0-1/0300$5.00 COMMUNICATIONS OF THE ACM March 2004/Vol 47, No 3 57
and banking. Any failures that can happen by accident can likely be induced by an attacker, with significantly more damage potential [4]. The degree of that risk is hotly debated among leading professionals, but, unfortunately, opinions are founded almost entirely on speculation, as scientific study of this question has yet to be seriously undertaken. Such a study is a matter of utmost urgency to our government because the nature and scope of a national cyber defense capability must be grounded in a full comprehension of the susceptibility of our systems. Engineering Cyber Defense—Manhattan Project. The National Strategy to Defend Cyberspace (released in February 2003) implies that market forces will be adequate to defend at the national scale. This is unlikely to be true [8]. By the same reasoning, market forces would be adequate to defend people, buildings, and towns against kinetic war. We can wish for that to be true. We can observe that we need a certain level of strength to survive normal stresses of life and that this strength provides some measure of defense against trivial attacks. The notion that such protection levels would withstand a nation-state attack is obviously absurd. Why then would this be different in cyberspace? Only a national scientific study will tell us for sure, but intuition tells us that an engineering capability is almost certainly needed. How might a national cyber defense capability be engineered? What is clear is that this is a very difficult problem. Some of the requisite technology does not yet exist. Yet, all indications are that such a capability is urgent. It therefore seems reasonable to dedicate the finest scientific and engineering minds toward a concerted effort to develop the capability within three years. We need a project in the style of the Manhattan Project with the requisite national priority, resource levels, and structure. Anything less will likely stumble. History has shown us that a distributed lower-priority investment has failed to create the needed capability despite more than three decades of research and development. Sound National Cyber Defense Policy. Sound national cyber defense policy depends on understanding the problem, its solutions, and the nature of cyber conflicts from economic, behavioral, and political perspectives. Unfortunately, our understanding is currently quite limited. In such a circumstance, a sound policy would be to place high priority and urgency on gaining a deep understanding of all these areas. Furthermore, the U.S. would benefit by acknowledging that its survival and function now depend on its information infrastructure. Sound policy would reduce the rate at which that dependency is increasing and find ways to minimize the risk as an interim measure. Finally, I note that achieving a national cyber defense capability has the potential of infringing on citizen privacy in the effort to detect malicious network-based activity. The U.S. national policy must be to avoid abrogating the very rights it is intending to protect. Conclusion Cyber defense poses serious technical and policy challenges for the U.S. Much work lies ahead in creating a stronger scientific foundation, the required technology for national-scale cyber defense, and an engineering discipline to provide the means. Policy should follow scientifically based knowledge and understanding; gaining that understanding should now be the primary objective. References 1. Committee on Information Systems Trustworthiness, National Research Council. Trust in Cyberspace. National Academy Press, Washington, D.C., 1999. 2. Haines, J., Ryder, D., Tinnel, L., and Taylor, S. Validation of sensor alert correlators. IEEE Security and Privacy 1 (Jan./Feb. 2003), 45–56. 3. Hamilton, S.N., Miller, W.L., Ott, A., and Saydjari, O.S. The role of game theory in information warfare. In Proceedings of the The Fourth Information Survivability Workshop, Vancouver, B.C., Canada, March 2002. 4. Letter to President Bush, February 27, 2002; www.uspcd.org/ letter.html. 5. Neumann, P. Principled Assuredly Trustworthy Composable Architectures. Draft Final Report (Oct. 2003); www.csl.sri.com/users/neumann/ chats4.pdf. 6. President’s Commission on Critical Infrastructure Protection. Critical Foundations: Protecting America’s Infrastructure. Washington, D.C., 1997; www.ciao.gov/resource/pccip/PCCIP_Report.pdf. 7. Salter, C., Saydjari, O., Schneier, B., and Wallner, J. Toward a secure system engineering methodology. In Proceedings of New Security Paradigms Workshop (Sept. 1998), ACM Press, New York, 1998. 8. Saydjari, O.S. Defending cyberspace. IEEE Computer 35 (Dec. 2002), 125. 9. Saydjari, O., Tinnel, L., and Farrell, D. Cyberwar strategy and tactics: An analysis of cyber goals, strategies, tactics, and techniques. In Proceedings of the 2002 IEEE Workshop on Information Assurance, June 2002, U.S. Military Academy, West Point, NY. 10. Schudel, G. and Wood, B. Adversary work factor as a metric for information assurance. In Proceedings of New Security Paradigms Workshop (Sept. 2000), ACM Press, New York, 2001. 11. Tan, K.M. and Maxion, R.A. Determining the operational limits of an anomaly-based intrusion detector. IEEE Journal on Selected Areas in Communications, Special Issue on Design and Analysis Techniques for Security Assurance 21 (Jan. 2003), 96–110. 12. Tinnel, L., Saydjari, O., and Haines, J. An Integrated Cyber Panel System. Supplement to DARPA Information Survivability Conference and Exposition, April 2003, Crystal City, VA. O. Sami Saydjari (ssaydjari@CyberDefenseAgency.com) is the CEO of Cyber Defense Agency, LLC (www.CyberDefenseAgency. com) and chairman of the Professionals for Cyber Defense (www.uspcd.org). © 2004 ACM 0002-0782/04/0300 $5.00 c COMMUNICATIONS OF THE ACM March 2004/Vol. 47, No. 3 57
