Synopsis 02: The Bases of Information Security: can we escape the Offensive-Defensive-InfoWarfare-Security dilemma?

1. The Bases of Information Security: from an InfoWarfare viewpoint and the Offensive-Defensive-Security dilemma

We often mistake is that we directly jump to the information security-related actions and activities (i.e., using antivirus, conducting information risk management, etc.) without properly acknowledging - why we need it? What is that for which an individual, an organization, or a government essentially required to ensure information security? In essence, why are we thinking, in the first place, of the word “security” concerning the information we hold?

The answers to all these questions can be formulated with only one word: information warfare (InfoWarfare). Why is it so? Because InfoWarfare, unlike traditional warfare, involves the battlespace (i.e., use and management of information communication technology (ICT) or the spaces in which we hold the information such as our brain and body, paper, mobile phone, computer, server, etc.) invaded by an unauthorized entity for pursuing a competitive advantage over the entity originally holds the information.

InfoWarfare is fundamentally different from the traditional counterpart in the following ways:

-  Nobody knows when InfoWarfare begins, ends, and how destructive it can become. For example, think about the scales of hypothetical consequences a zero-day worm attack can bring globally that is currently unknown to the collective knowledge of all information security professionals worldwide (like the way Covid-19 pandemic appeared in the global health system in late 2019 and early 2020). Will it not become the catastrophe more impactful than the covid-19 we have been presently experiencing?

-The risk for the unauthorized entity involved in generating InforWarfare is substantially lower than the entity that generates conventional war (e.g., in 2000, a DDoS attack performed by a 15 years old boy known as MafiaBoy caused about US$ 1.2 billion equivalent damage). This makes it easier to perform InforWarfare more frequently than the conventional war.

- Mass-integration of ICT at the global-scale makes it harder to determine who is responsible in the first place behind the InforWarfare.

- Civilian technologies can be easily targeted for InforWarfare, and at the same time, an attack can even be potentially launched through civilian computers or websites. Therefore, defending against such attacks even more challenging as it is harder to enforce control over the civilian infrastructure due to many ethical concerns such as the right to privacy.                            

In a nutshell, InforWarfare signifies the use of ICTs for gaining competitive advantages over an opponent. We generally do not know what kinds of competitive advantages it may bring - it can be financial to political to a just-fun-exercise. The general weapons used for InfoWarfare include viruses, worms, Trojan horses, logic bombs, trap doors, nanomachines and microbes, electronic jamming, and penetration exploits and tools.

There are various forms of InfoWarfare, most notably the following categories:

- Command and Control InfoWarfare (C2 InfoWarfare) refers to the impact an attacker possesses over an information system that they control.

- Intelligence-based InfoWarfare uses sensor-based technologies that directly corrupt ICT systems.   

- Electronic InfoWarfare uses radio-electronic and cryptographic techniques (that uses bits and bytes to disrupt the means of transporting information) to degrade ICT based communication.   

- Psychological InfoWarfare uses various techniques, such as propaganda and terror, to demoralize one’s adversary. 

-  Hacker InfoWarfare generally uses viruses, logic bombs, Trojan horses, and sniffers to achieve various malicious objectives such as shutting down the systems, theft of information and IT services, monitoring system, and manipulating access data, manipulating data errors, false messaging, etc.   

- Economic InfoWarfare uses blocking the flow of information national wide or a significant segment of the digital world.  

- Cyberwarfare is the broadest of all InfoWarfares and includes information terrorism, semantic attacks, and simulated-warfare. 

Different forms of InfoWarfare mentioned above consist of any of the following strategies: 

- Defensive InfoWarfare strategies use all actions and techniques to defend against attacks on ICT assets, including prevention, deterrence, alerts, detection, emergency preparedness, and response system. 

- Offensive InfoWarfare strategies involve attacks against the opponent's ICT assets, including passive attacks, active attacks, close-in attacks, insider attacks, and distribution attacks. An organization can also deploy a proactive approach of Offensive InfoWarfare through the use of ethical hacking.

- General InfoWarfare strategies, generally arranged by an organization, utilize the collective affords of both Defensive InfoWarfare and Offensive InfoWarfare strategies to ensure an optimal level of their information security.      

The above Defensive InfoWarfare and Offensive InfoWarfare strategies convey an interesting security dilemma that is famously used in cognitive science, international relations, and international politics for the last many decades. It firmly argues that when Defensive InfoWarfare has the advantages over the Offensive InfoWarfare, a major InfoWarfare can be avoided. That is why it is worth pinpointing the juices of the Offensive-Defensive-Security dilemma given below.      

The offensive and defensive security dilemma, also known as the spiral model and driven by structural realism, refers to a situation under anarchy [i.e., anarchy means in international relations, the world lacks any supreme authority or sovereignty. It is hypothetically the same situation as we discussed above the first point of InfoWarfare - nobody knows when InfoWarfare begins, ends, and how destructive it can become.] the actions performed by a state and intended to heighten its security can lead other states to respond with similar measures, producing increased tensions that create conflict, even when no side really desires it.

Robert Jervis, a professor at Columbia University, formulated in his paper* four scenarios to describe the intensity of the offense-defense security dilemma. Below these scenarios are described in the light of the Offensive-Defensive-InfoWarfare-Security dilemma:

- Scenario A: when offensive and defensive behaviors are not distinguishable, but the offense has an advantage, the InfoWarfare-Security dilemma is “very intense,” and the environment for the InfoWarfare is “doubly dangerous”. 

- Scenario B: when offensive and defensive behaviors are not distinguishable, but the defense has an advantage, the InfoWarfare-Security dilemma is “intense” in defending the organization’s behavior but not as intense as scenario A.

- Scenario C: when offensive and defensive behaviors are distinguishable, but the offense has an advantage, the InfoWarfare-Security dilemma is “not intense,” but information security issues exist. The environment is safe, but the offensive behavior has an advantage that may cause an attack at some future time.    

- Scenario D: when offensive and defensive behaviors are distinguishable, but the defense has an advantage, the InfoWarfare-Security dilemma has little or no intensity, and the environment for information security is “doubly safe.”

Now, if you observe the cyberthreat and cybersecurity intelligence, trends, and practices of the last decade, we can constructively come to the following concluding points:

A) Conclusion A: those who advocate for the Offensive-InfoWarfare-Security strategies to be implemented in an organization in any given environment promote Scenario A, vice versa. [when I gave above the example of a zero-day, I heighten Scenario A]   

B) Conclusion B: those who advocate for the Defensive-InfoWarfare-Security strategies to be implemented in an organization in any given environment promote Scenario B, vice versa.   

C) Conclusion C: those who advocate for the General-InfoWarfare-Security strategies (meaning both Offensive and Defensive-InfoWarfare-Security) to be implemented in an organization in any given environment promote both Scenarios A and B, vice versa.

D) Conclusion D: nobody thinks, or most of us do not think, of scenarios C and D.  

2. An analogy between the current legal framework of cybersecurity with the banking sector's legal framework in the EU and Luxembourg

Now we make a brief comparison between the current legal framework of cybersecurity with the banking sector's legal framework in the EU and Luxembourg. In that case, you may find the same pattern of legal evolution that fits with the recent legal developments in the cybersecurity domain with the same type of aim to establish a single market (Euro in the case of the banking sector and cybersecurity in the case of the latter). [Please see synopsis 1 below for further information in this regard]  

There was a time in Luxembourg, not long before, where there was no central bank (talking about BCL, LU) and also no financial regulatory authority (talking about CSSF, LU). There was no legal reporting mechanism based on XBRL for collecting, monitoring, and evaluating financial data and the systemic risks associated with those data. But now we have all that we did not have even one and a half decades ago. These all in the banking sector started with a single piece of the EU legislation that is EU Regulation 1093/2010 (that established a European Banking and Supervisory Authority (EBA)). This is, to me, the same as we now have EU cybersecurity Regulation 2019/881 (by which ENISA received its legal personality with a package of legal power to harmonize the cybersecurity practices as well as to promote the single cybersecurity market in the EU).    

3. What does this analogy teach us?

It indicates that there will be many legal and regulatory implications (EU Level-1 and Level-2 legislations and their corresponding transposed local laws and Case-laws) in the area of cybersecurity and AI practices at the institutional level in the EU and LU in the coming years. Therefore, an institution in these jurisdictions needs to be organized to effectively and efficiently cope with these sudden upcoming legal and regulatory obligations.

Most importantly, it also indicates that the above-discussed Scenarios A and B, in conjunction with Conclusions A, B, and C, have led down the information security bases in the EU and LU.  

4. Can we escape the Offensive-Defensive-InfoWarfare-Security dilemma?

Therefore, the question is – can we escape the Offensive-Defensive-InfoWarfare-Security dilemma? My take on it is a big NO. Because, in my view, when everybody gets richer due to the information-security businesses motivated by the Offensive-Defensive-InfoWarfare-Security dilemma, nobody cares to escape [the moral of the movie – Gold (2016) - directed by Stephen Gaghan and written by Patrick Massett and John Zinman].     

 What would be the content in the following synopsis?

In the next synopsis, I will explain all the crucial elements (the state-of-art) currently practiced as Defensive InfoWarfare strategies, Offensive InfoWarfare strategies, and General InfoWarfare strategies in the information security domain.

* Jervis, R. "Cooperation Under the Security Dilemma," World Politics vol. 30, no. 2 (1978): 186–214, Cambridge University Press.