PGP CEO Blog

Chapter 2: Armies and Insurrections

I’ve written previously about the dangers of “fixed embattlements” in both warfare and data security. I’d like to extend this metaphor one step to provide some perspective on the changes that are now occurring in the war on cybercrime as well as how we need to change our mindset. This is big business for criminals, in one year alone the cost of cybercrime has jumped from $2 billion in 2006 to $7.1 billion in 2007 so we need to look at how the war is being fought if are even going to begin to win some battles.

When two similarly sized and equipped armies face one another in battle, military historians refer to this as ‘symmetric warfare’. When a large, well equipped military force does battle with a much smaller or ill equipped force, it’s referred to as “asymmetric warfare”. Asymmetric warfare is what you often see in insurgencies or insurrections. Just because one side is much smaller or poorly equipped does not mean it’s necessarily destined to lose the war. It just means that they need to pursue a strategy consistent with their capabilities and the enemy’s weaknesses.

It turns out, in fact that standing armies don’t have a very good track record in asymmetric warfare. Partly this is because to win an asymmetric war a standing army must destroy or completely disable their enemy. A guerilla force by contrast can defeat a much larger force by simply staying in business, attacking opportunistically, and waiting until the larger force’s resources or will to win is exhausted.

Perhaps the most famous example of a small, ill equipped force triumphing over a superior force in asymmetric battle is the American revolutionary war. There were a few “set piece” battles, but for the most part the Americans inflicted physical and psychological damage on the British garrisons using the “hit and run” techniques common in this type of conflict. It isn’t always the case that the superior force is doomed to lose an asymmetric battle either, but it requires the larger force to adopt a strategy that’s consistent with the nature of the battle they’re fighting.

Large standing armies are very, very good at certain things like attacking other similarly structured forces, taking and maintaining control of large swaths of ground, or protecting a civilian population in a limited geographic area as the armies of the city states of Europe did for centuries. For all of their benefits, however, standing armies also come with profound liabilities.

These liabilities include the need for a rigid command and control structure, access to an evergreen population of recruits or conscripts, and massive logistical operations to keep themselves fed, clothed and supplied with ammunition, spares parts and fuel. What this means is if you can impair an army’s supply lines, it’s typically not long before the fighting portion of that army capitulates.

The reason this is all relevant to the current battle to protect confidential information is that for the last decade we’ve been engaged in an asymmetric battle with the enemy. We have the richest enterprises and governments on earth playing defense, almost exclusively, against a small, mostly invisible group of “data guerillas”. The guerillas emerge from hiding only long enough to attack one or more enterprise’s data infrastructure before receding into the near absolute anonymity of the Internet. Our experience in doing battle with the hacker community has been more akin to putting down an insurrection than actual war with an organized enemy.

As multi-national organized criminal syndicates come to dominate cybercrime, however, the battle will become less asymmetric and much more dangerous in terms of potential financial loss – as we found was the case in some of the recent breaches – TJX being more widely covered this past week (http://www.nytimes.com/2008/08/12/technology/12theft.html as well as the Citibank breach (http://blog.wired.com/27bstroke6/2008/06/fbi-arrests-six.html). It’s not that these syndicates will replace the data guerillas as we know them. We’ll need to continue to develop new tools and techniques to mitigate the efforts of the script kiddies and their patrons, but from a strategic standpoint these will be extensions to current tools and strategies and will continue to involve playing mostly defense. Thus, we need to well remember the lessons we learned in the last 15 years of the data insurrection.

At the same time, however, we need to recognize that the strategies and technologies we deployed during the insurrection phase of the “data war” will serve roughly the same purpose as the Maginot Line in addressing the new threats we are now seeing from the global cybercrime syndicates. They’ll inform us when we’re under attack (sometimes), but they won’t provide very much protection from those attacks or allow us to counter attack the perpetrators.

I’ll deal with exactly how the strategy and tactics of the new data war will need to change and why we’ll likely need to form an entirely new force to fight an important portion of this battle in the next two blogs.

- Phil