U.S. Must Focus on Protecting Critical Computer Networks from Cyber-Attack

Because it will be difficult to prevent cyber-attacks on critical civilian and military computer networks by threatening to punish attackers, the United States must focus its efforts on defending these networks from cyber-attack, according to a new RAND Corp. study.

The study finds that the United States and other nations that rely on externally accessible computer networks -- such as ones used for electric power, telephone service, banking, and military command and control -- as a foundation for their military and economic power are subject to cyber-attack.

"Adversaries in future wars are likely to go after each other's information systems using computer hacking," said Martin C. Libicki, the report's lead author and senior management scientist at RAND, a nonprofit research organization. "The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks. Cyber-space must be addressed in its own terms."

Working against connected but weakly protected computer systems, hackers can steal information, make the systems malfunction by sending them false commands and corrupt the systems with bogus information.

In most instances, the damage from cyber-attacks is temporary and repeated attacks lead the victim to develop systems that are more difficult to penetrate. The RAND study finds that military cyber-attacks are most effective when part of a specific combat operation -- such as silencing a surface-to-air missile system protecting an important target -- rather than as part of a core element in a long, drawn-out military or strategic campaign.

Libicki says it is difficult to determine how destructive a cyber-attack would be. Damage estimates from recent cyber-attacks within the United States range from a few billion dollars to hundreds of billions of dollars per year.

The study indicates that cyber-warfare is ambiguous, and that it is rarely clear what attacks can damage deliberately or collaterally, or even determine afterward what damage was done. The identity of the attacker may be little more than guesswork, which makes it hard to know when someone has stopped attacking. The cyber-attacker's motivation, especially outside physical combat, may be equally unclear.

The weapons of cyber-war are amorphous, which eliminates using traditional approaches to arms control. Because military networks mostly use the same hardware and software as civilian networks, they have similar vulnerabilities.

"This is not an enterprise where means and ends can be calibrated to one another," Libicki said. "As a result, it is ill-suited for strategic warfare."

Because offensive cyber-warfare is more useful in bothering, but not disarming, an adversary, Libicki does not recommend the United States make strategic cyber-warfare a priority investment. He says similar caution is needed for deterring cyber-warfare attacks, as it is difficult to attribute a given attack to a specific adversary, and the lack of an ability to counterattack is a significant barrier.

Instead, Libicki said the United States may first want to pursue diplomatic, economic and prosecutorial efforts against cyber-attackers.

The study, Cyberdeterrence and Cyberwar, was prepared by RAND Project AIR FORCE, a federally funded research and development center for studies and analysis aimed at providing independent policy alternatives for the U.S. Air Force.

Download the full document