IT security experts have been calling for greater attention to be paid to the growing risk for cyber-attacks to be carried out against on critical infrastructure assets in the United States, and some on Capitol Hill have bought into the notion of looming cyber-war; a new report funded by the U.S. Air Force contends that while still somewhat ambiguous, cyber-war is an inevitability.
In a lengthy paper funded by federal R&D grants aimed at providing independent policy alternatives to the USAF, experts with nonprofit Rand Corp. highlight their contention that the nation's military branches must treat cyber-war as another emerging field of battle -- one that both amplifies the threat of physical combat and presents new tactical challenges unfamiliar to everyone, not just the armed forces.
As a result, the government must continue to ramp up its cyber-defenses, according to the report authors. In particular, as others have noted, military leaders must seek to improve the resiliency of critical grid infrastructure, namely the very power, communications and financial systems on which public and private sectors depend on, Rand contends.
In the most likely scenarios cyber-attacks will be used in coordination with other forms of assaults, including physical combat, either to distract opponents or merely cause more damage, the experts say. However, the report also indicates how difficult it remains simply to understand when many forms of cyber-attack are occurring, let alone who they should be attributed to.
The report does not conclude that the Air Force should invest significantly in any specific mechanisms to prepare or react to cyber-war at present, but it does recommend substantial attention to be given to planning for potential scenarios, and call for continued commitment to federal initiatives aimed at helping private grid providers to improve their IT security standing.
"The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks, cyber-space must be addressed in its own terms." Martin C. Libicki, the report's lead author and senior management scientist at Rand said in a summary.
"Operational cyberwar has the potential to contribute to warfare. how much is unknown and, to a large extent, unknowable," the report contends. "Because a devastating cyber-attack may facilitate or amplify physical operations and because an operational cyber-war capability is relatively inexpensive, it is worth developing."
The Rand paper echoes the sentiment that too much attention is presently being given to easily-detected denial-of-service type assaults, versus those tied to computing infrastructure infiltration and quiet interference or manipulation of important systems -- the kind of cyber-attacks that can be used to inflict damage for longer periods of time while being less likely to be detected.
Because military networks use the same IT systems as their civilian networks, they have similar vulnerabilities, but in some senses, it may be wise for the military to keep its hands out of attacks aimed at private organizations to ensure that those companies continue to feel compelled to invest in their own defenses, Libicki's group's research contends.
Overall, the report reaffirms the concept that while the entire theater of electronic warfare remains extremely nascent and unproven, it clearly represents one of the most important areas of development for future U.S. national defense and military strategies.
"Cyber-defense remains the Air Force's most important activity within cyberspace," concludes the Rand paper. "Although most of what it takes to defend a military network can be learned from what it takes to defend a civilian network, the former differ from the latter in important ways. Thus, the Air Force must think hard as it crafts its cyber-defense goals, architectures, policies, strategies, and operations."
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.