The key to counteracting social engineering is awareness since social engineers are targeting our lack of cognition, our ignorance, and our fundamental biases. In a cybersecurity context, it’s not as easy to mitigate social engineering as it is to mitigate software and hardware threats. On the software side, we can purchase intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. Attackers will certainly break through at one point or another, but strong cybersecurity products and techniques are readily available. When it comes to social engineering, we can’t just attach a software program to ourselves or our employees to remain secure.
The most important lesson from Russia’s involvement in the 2016 presidential election may be this: foreign hackers and propagandists are not afraid to launch attacks against the United States in and through cyberspace that they would not dare risk in a real theater of war. So as cyber aggression gets worse and more brazen every year, it’s crucial that the Department of Defense figures out how to deter foreign actors in cyberspace as effectively as in nuclear and conventional warfare. The Pentagon can take five steps to better deter foreign cyber attacks.
It remains to be seen whether or not the current administration’s approach to China will bring further progress in terms of limiting cyber attacks. Ultimately, extending the terms of the 2015 agreement to explicitly ban attacks, to encourage co-operation in hardening financial institutions against them, and perhaps even mandate bi-lateral responses should they occur, would be in the mutual interest of both the U.S. and China.
In a year when the breadth, extent, and impact of cyber attacks continues to expand as geopolitical tensions escalate, the creation of norms remains essential to shape behavior in cyberspace and identify which targets are off limits. However, as these latest attacks may demonstrate, absent any coherent cybersecurity strategy and response framework, adversaries will disregard norms as long as they can attack with impunity.
Over the last 30 years the international security environment has been characterized by several security deficits, which are defined as a government’s inability to meet its national security obligations without external support. Intra-state, transnational, and regional actors challenge a sovereign government’s ability to provide a secure environment for their citizens. While evident in countries like Syria and Afghanistan, it is also true in the cyber world.
While there have been many valuable contributions to our understanding of the digital realm from the social sciences, it has been a struggle on all fronts to transform those theoretical and empirical observations into cohesive, strategic and policy recommendations. Cyberspace in Peace and War is a huge stride in the right direction. Anyone interested in cyber security should have a copy of in their library, and going forward it should be regularly cited and referred to.
it is important to reintroduce many of the well understood concepts of strategy to the cyber-Security debate precisely because it adds clarity to an otherwise murky topic. While it is good to come to the right answer, it is also important that we understand the strategic relationships of different behaviors so that we can consistently prescribe proper policy. Understanding why negotiations are a good idea today will better help us determine if they are a good idea tomorrow, and hopefully forestall deleterious decisions based upon improper analogs.
Few at CyConUS were optimistic about the future of cyber restraint among states. Rather, it was the assertiveness of nation-states that featured prominently in many of the keynotes and panel discussions. Whether the U.S. and its allies can respond effectively to these challenges, and the many others likely to follow, remains an open question. The cyber era is one of asymmetric conflict. For all of the billions of dollars the U.S. spends on cybersecurity through the departments of Defense and Homeland Security, determined attackers can find success for a minuscule fraction of that cost. Bending that cost-curve in a more favorable direction must be a top priority for the U.S. and its global partners.
Deterrence strategy, too, is essentially timeless, which inherently means it is applicable even to cyber warfare. While a legitimate threat of force lies at the heart of deterrence, different modes of warfare may be necessary to accomplish the true purpose of strategy as Clausewitz saw it: the accomplishment political goals. The U.S. political goal in this case is to prevent attacks and other wicked acts perpetrated against America in the cyber realm. Though the U.S. definitely has heavy hands in the cyber boxing arena, a better strategy is to avoid punches altogether, rather than slugging it out in the middle of the ring.
Maneuvering through cyberspace in support of strategic objectives and Unified Land Operations requires cyber leaders to develop into “agile and adaptive leaders who are flexible, critically reflective, and comfortable with ambiguity and uncertainty.” The Army’s Cyber Branch must prepare leaders to improve competence in their technical requirements, remain operationally focused, seek lifelong development, and possess an entrepreneurial mindset through the application of learner-centric, adult learning models in the classroom to meet the needs of the Army as it defends the nation.
Threat drives technology. This has been the case for the U.S. military for the last 150 years. One could say that forecasting what the next threat will be is actually what drives technology. Two prime examples of this are coastal and air defenses of the United States in the beginning and middle of the 20th century. Now we are facing an ever-developing threat: cyber attacks against our nation’s infrastructure. These are becoming more invasive and dangerous to our national security, given how much a modern military relies on cyberspace for communication and command and control.
War is won with information. This is no new phenomenon; since there has been war, there has been military intelligence, and generally, those with the most information have been the most successful. Protecting important information and learning about the enemy and his plans are imperative to winning war.