Physical metaphors for cyber space create pernicious mistakes of intuition about strategy. The lay of the land determines a great part of battlefield strategy. Cyber space is as unfamiliar and surprising as a trip through the looking glass, frustrating many efforts to understand cyber strategy by way of analogy to physical space. Writing about cyber strategy would be greatly improved by careful attention to the shape of the battlefield. The battlefield is a vast, multi-layered network and not a physical terrain.
Problems with the metaphor of space for cyberspace
- Single physical location fails in two directions. One actor can be located in more than one location. One location can exist in more than one physical jurisdiction, or in the global commons (e.g., satellite Internet link to offshore platform).
- Perimeter defenses doesn’t work.
- The analogy to physical movement and distance yields poor intuition about movement in cyber space, e.g., velocity, acceleration, time to penetrate defenses, and maneuver.
- Control of physical objects is a particularly poor metaphor for cyberspace analogs, which requires neither direct physical access nor the attention of an individual. In physical space, individual agents control only those objects within reach; creation of new objects requires logistics, procurement.
- Crucial capabilities for control: autonomy of maneuver, force projection over a territory.
- Changing the physical landscape is time-consuming, expensive, and hard to conceal.
Concepts for cyber security
- Network locations. IP address, physical layer, hardware within the machine (MAC, SIM), organization providing Internet access (ISP, cell network, satellite link), states with governing authority over telecoms.
- Access control, difficulty of forging authentication, multiple factors of authentication, time-based security.
- Network measures of distance. Servers mediating access to a target system. Physical barriers mediating access to a system.
- Manipulation of remote systems is cheap, automated, replicable. Millions of poorly protected machines are widely available.
- Crucial capabilities for control: IT control policies and procedures, jurisdiction, surveillance, and collaboration in law enforcement, counter-intelligence.
- The network topology is a policy choice. Control over topology is shared between governments, business, civil society, and individuals. Topology is actively controlled by actors before, during, and after conflict.
Just as the domain of air warfare required new strategy, so does the cyber domain. The air domain vastly increased the reach of a few actors. Air operations prioritized the defense-industrial base, which could replace assets lost in battle. Together, air and naval power permitted the projection of power at previously unimagined distances.
Read the rest of this entry »