Sunday, May 29, 2016

Cyber bombs - Does the Pentagon think we're stupid?

Does the Pentagon think we're stupid?
Wait don't answer that... Any time you wonder what the government is spending your tax dollars on, just remember that the Pentagon now has a program where they are dropping 'cyber bombs' on ISIS.  But what is a cyber bomb?  I'm totally unclear on what a cyber bomb is.  But one of the first things that comes to mind is "are there different classes of cyber munitions?" Cyber bullets? Cyber cruise missile? Cyber tanks firing cyber sabots?

Update: Twitter follower Han Solo Mio noted that a Cyber A-10 might be the most appropriate munition and even create a pretty kick butt logo for it (used here with permission).

Cyber A-10 Thunderbolt

Analogies for cyber munitions are all bad.  The reality is that cyber space is very unlike the traditional battlefield.  As I see it, there are two primary differences between cyber and traditional warfare: prepositioning and deploying effects.

Prepositioning on cyber key terrain
The first difference is in prepositioning.  Sure we need to preposition physical assets for the physical battlefield, but when all else fails we have the 82d Airborne.  Wheels up anywhere in 18 hours.  The same can't be said for cyber.  We can't preposition assets on cyber key terrain in 18 hours. Just doesn't work that way.

Prepositioning assets in cyberspace involves deploying malware.  The longer you preposition malware in cyberspace, the more likely you are to be detected.  When the malware is detected in one location, you lose that capability everywhere you have it deployed.  The same isn't true for deploying a carrier battle group.  When a carrier battle group is deployed (and inevitably detected) we don't lose the capability to deploy other carrier battle groups. The same isn't true for malware - once detected it must be rewritten, changing the calculus for prepositioning cyber assets.

Deploying cyber effects
A cyber effect the more technical term for a 'cyber bomb' that the Pentagon has talked about deploying against ISIS.  The problem is that once an effect is deployed against any adversary with any detection capabilities, it is gone forever.  Cyber effects require prepositioning and are limited in their lifespan.  As soon as effects are detected in use, even commodity antivirus will detect them.

Stop the rhetoric
Instead of saying we are dropping cyber bombs on the enemy, perhaps we can just say we're hacking ISIS and call it a day.  The American people aren't stupid (okay, maybe we are) and don't need these weak analogies to feel like we're having an effect on ISIS' online activities.