黄兵的个人博客

网络战（Inside.Cyber.Warfare.2nd.Edition）

Since the first edition of Jeffrey Carr’s Inside Cyber Warfare: Mapping the Cyber

Underworld was published, cyber security has become an increasing strategic and

economic concern. Not only have major corporations and government agencies

continued to be victimized by massive data thefts, disruptive and destructive attacks

on both public and private entities continue and show no signs of abating. Among the

publicly disclosed targets of cyber attacks are major financial institutions, entertainment

companies, cyber security companies, and US and foreign government agencies,

including the US Department of Defense, the US Senate, and the Brazilian and the

Malaysian governments.

Many of these cyber penetrations are aimed at theft of identity or financial data for

purposes of criminal exploitation. These cannot simply be regarded as a “cost of doing

business” or tolerable losses; such episodes undermine the public trust, which is the

foundation for business transactions over the Internet. Even more significant is the

threat posed by cyber theft of intellectual property. Every year, economic competitors

of American businesses steal a quantity of intellectual property larger than all the data

in the Library of Congress. As a result, these rivals are gaining an unfair advantage in

the global economy.

Also gaining in seriousness are organized efforts to disrupt or even destroy cyber

systems. Anarchist and other extremist groups, such as Anonymous and LulzSec (and

their offspring), seek to punish those with whom they disagree by exposing confidential

data or disrupting operations. Recent breaches of cyber security firms such as HBGary

and EMC’s RSA SecurID division demonstrate a strategic effort to undermine the

security architecture on which many enterprises rely. And the multiplication of social

media and mobile devices will create many more opportunities for cyber espionage,

social engineering attacks, and open source intelligence collection by nation-states,

terrorists, and criminal groups.

Since the formation of the Comprehensive National Cybersecurity Initiative in 2008,

the US government has unveiled a series of security-related strategies, including

legislative proposals. These are useful and important steps, but they’re not enough to

keep pace with the growing and diversifying threats. The private sector in particular

must take ownership of much of the burden of defending the networks they own and

operate. Moreover, while technology and tools are key to the solution, human beings

are at the heart of any security strategy. Unless those who use the Internet observe good

security practices, defensive technologies will merely be a bump in the road to those

who seek to exploit cyberspace.

Finally, while defense against cyber attacks is important, it is not enough. When cyber

attacks damage critical infrastructure or even threaten loss of life, sound strategy calls

for preventive and deterrent measures. While some downplay the idea of cyberspace

as a warfare domain, occurrences such as the 2008 Russia-Georgia conflict underscore

that information systems are very much part of the battlefield of the future. For this

reason, the US Department of Defense has issued its first official strategy for operating

in cyberspace. To be sure, difficulties in attribution and questions of legal authority

complicate the application of warfighting concepts to cyberspace. Nevertheless, we

must tackle these issues to determine what measures can be taken offensively to eliminate

or deter critical cyber threats, when those measures should be triggered, and who

should carry them out. Without formulating a strategy that encompasses these measures,

our cyber security doctrine will be, at best, disconnected and incomplete.

For policymakers and business leaders, cyber warfare and cyber security can no longer

be regarded simply as the province of experts and technicians. The leadership of any

public or private enterprise must consider the risks of and responses to cyber threats.

This latest edition of Jeffrey Carr’s volume is indispensable reading for senior executives

as well as savants.

—The Honorable Michael Chertoff,

former Homeland Security Secretary

and co-founder of The Chertoff Group