Shostack + Friends Blog Archive


The High Price of the Silence of Cyberwar

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.”

I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there a strategic advantage to a policy of disclosure?

Before we get there, there’s a somewhat obvious objection that we should discuss, which is that the defender instantly revealing all the attacks they’ve detected is a great advantage for the attacker. So when I talk about disclosing attacks, I want to include some subtlety, where the defender is taking two steps to counter that advantage. The first step is to randomly select some portion of attacks (say, 20-50%) to keep secret, and second, randomly delay disclosure until sometime after cleanup.

With those two tactical considerations in place, a defender can gain several advantages by revealing attacks.

The first advantage is deterrence. If an defender regularly reveals attacks which have taken place, and reveals the attack tools, the domains, the IP addresses and the software installed, then the attacker’s cost of attacking that defender (compared to other defenders) is higher, because those tools will be compromised. That has a deterring effect.

The second advantage is credibility. In today’s debate about cyberwar, all information disclosed seems to come with an agenda. Everyone evaluating the information is forced to look not only at the information, but the motivation for revealing that information. Worse, they can question if the information not revealed is shaped differently from what is revealed. A defender who reveals information regularly and in accordance with a policy will gain credibility, and with it, the ability to better influence the debate.

There’s a third advantage, which is that of improving the information available to all defenders, but that only accrues to the revealer to the extent that others don’t free ride. Since I’m looking to the advantages that accrue to the defender, we can’t count it. However, to the extent that a government cares about the public good, this should weigh in their decision making process.

The United States, like many liberal democracies, has a long history of disclosing a good deal of information about our weaponry and strategies. The debates over nuclear weapons were public policy debates in which we knew how many weapons each side had, how big they were, etc. What’s more, the key thinking about deterrence and mutually assured destruction which informed US policy was all public. That approach helped us survive a 50 year cold war, with weapons of unimaginable destructive potential.

Simultaneously, secrecy around what’s happening pushes the public policy discussions towards looking like ‘he said, she said,’ rather than discussions with facts involved.

Advocates of keeping attacks in which they’ve been victimized a secret, keeping doctrines secret, or keeping strategic thinking secret need to move beyond the assumption that everything about cyberwar is secret, and start justifying the secrecy of anything beyond current operations.

[As thegruq doesn’t have a blog, I’ve posted his response ““]

2 comments on "The High Price of the Silence of Cyberwar"

  • Marcos says:

    Congratulations, I´ve thought your article very interesting. I agree that secret about incidents don´t have to do, necessarily, part of definition of cyberwar. However, the concept of “deterrance” as a defensor advantage could be rethought from the viewpoint that information about some incidents reveals vulnerabilities and weakenesses that organizations can´t treat.
    As a example, I propose a scenario where a XSS attack has got success against a software of ACME organization. This may reveals that ACME software team doesn´t consider XSS protection in software artifacts produced. For an attacker, this can give rise a series of attacks against all software in ACME portfolio, where is impossible for ACME software team correct all bugs in these products.
    This example is about one organization. In a cyberwar, it is common exist N organizations in a much more complex scenario.

  • kajal says:

    Nice article!!
    Really Cyber security is a holistic problem and needs a holistic solution.
    this field has a vast scope and IT field is really in need of cyber security professionals .
    Programs related to cyber security are provided at Appin Institute for Cyber Security.
    for more details log on

Comments are closed.