The Cyber Security Head Game
Winning cyber wars means beating your adversary’s mind, not their technology.
Posted September 12, 2022 | Reviewed by Abigail Fagan
- Firewalls, anti-malware, encryption, access controls and other cyber defense technologies cannot guarantee cyber security.
- Such technologies often fail because they don't fully address human behavior, the biggest vulnerability in any system.
- Cyber defenses do sometimes target human vulnerabilities such as insider threats but almost never target adversary psychology.
- Effective security requires defenders to "get inside hacker's heads" to create confusion, doubt and fear that remove the motivation to attack.
Recently, the cyber arm of Homeland Security, CISA, announced a new, North Korean sponsored ransomware attack on health care systems, and the Center for Strategic and International Studies just listed 89 major international cyberattacks in 2022 alone, including a recent China-sponsored compromise of vital telecommunication systems.
As if these incidents weren’t sobering enough, CISA also warned that Russia, in retaliation for US support of Ukraine, could compromise vital US infrastructure such as mobile networks, banks, power and energy systems, in the same way Russian hackers took down the Colonial Pipeline system last year, causing severe fuel shortages.
In sum, we find ourselves in a never-ending, low-level global cyber conflict that threatens to erupt into a major cyber war at any time… and we are not winning that conflict.
Why aren’t we winning?
As the former CTO of the US Intelligence Community and current Chairman of the Board of the US Technology Leadership Council, I can say with confidence that the problem isn’t our technology. We invented the internet and still have the deepest technical resources of any country in the world, so our cyber defenses, including access controls, anti-malware, firewalls, secure computing platforms, intrusion/data loss detection systems and AI cyber defense systems are second to none. But, as the gloomy statistics show, having an impressive array of cyber defense weapons hasn’t been enough.
General George S. Patton, way back in World War II, was eerily prescient about our current difficulties when he observed. To win battles you do not beat weapons—you beat the [soul] of the enemy man.
What Patton meant was that war is more a test of wills than a battle of weapons, so, without the right mindset, an impressive arsenal of weapons won’t save you.
Getting the right mindset
Another famous General, Sun Tsu, suggested one way out of our difficulties when he observed “All war is deception.” If you’re not a student of war, an intuitive way to understand the role of deception in conflict is to observe the successful camouflage (becoming invisible) and mimicry (looking like a scarier animal than you are) of prey animals, shown in these photos.
Just as the predators of the fish below are never going to go away (which is why this fish camoflages itself and sports huge fake eyes to scare predators), cyber predators also will never go away.
And the best of these cyber predators will continue to penetrate even the strongest defenses, because the exponential increase in IT system complexity, which makes it increasingly difficult to even understand the full extent of what you're defending, favors cyber attackers over cyber defenders. So we need to assume that some hackers will inevitably get inside our networks and thus we must adopt strategies of deception, similar to those employed successfully by our fish here, to lessen the harm from competent hackers, who manage to get up close and personal.
We also need to create doubt in hackers’ minds, about the benefits of attacking us in the first place, in the same way that the poisonous Cane toad avoids attacks from predators who know the toad’s skin has lethal poison glands, and milk snakes, who have no poison, but discourage would-be predators by mimicking the coloration of coral snakes, who definitely do have deadly venom.
Creating confusion, doubt and worry inside hackers’ heads.
Here are some examples of cyber deception and deterrence that could reduce, or entirely avoid, damage that hackers who gain access to our networks might create.
- Create “false floors” that make hackers believe they have achieved omnipotent “super user” privileges that give them full access to all files and machines on a network, when, in reality, the hackers have only accessed relatively unimportant systems and files. Having “succeeded” in penetrating our network, some hackers will not dig deeper. (1) (2) (4)
- Recognizing that false floors won’t always work, scatter fake information (e.g. fictious engineering designs, fake financial statements, fake user personal information) amongst real information. Hackers who try to sell or exploit useless or bogus information will quickly become unpopular with their sponsors. (5) (6) (7)
- Include nasty surprises in truly valuable files hackers might steal, such as “canary tokens” that beacon their location once stolen from a network, helping us track back to the hacker who stole the file. Or, we might even salt our data with malware that will damage a hacker’s computer, or give us detailed personal information about them. These equivalents of “cyber poison” would encourage cyber predators to seek less dangerous prey. (3)
Do we have the will?
Ideas such as these have circulated in the cyber security community for years, and some companies actually offer tools that allow defenders to deceive and track would-be attackers. But corporate and government lawyers and policy overseers, nervous about lawsuits and PR blowback, generally discourage the use of cyber deceit, and are outright allergic to the idea of tracking and attacking those who attack us, because such countermeasures start to look a lot themselves like illegal hacking. Indeed, in cyberspace, unlike the physical world where we are entitled to defend ourselves if assaulted, self-defense (“hacking back” as I’ve suggested) is not currently legal in the US.
In other words, we lack the will to do what nature, in her infinite wisdom, has encouraged grasshoppers, fish, toads, snakes and countless other species to do for millions of years. And because war, as General Patton observed, is fundamentally a test of wills, not weapons, we can expect to lose many important cyber conflicts going forward, because our adversaries, lacking legal or moral constraints, have stronger wills than we do.
Following a “cyber 9-11” where our banks, transportation, communication or health care systems fail, our laws and policies will probably adapt, eventually, to recognize modern realities, and allow us to actively defend ourselves in cyber space.
But until that happens, we will continue to lose cyber wars on the most important battlefield of all: the one inside our heads.