This is an all too common theme in computer security: shouldn’t we learn from the military? After all we are dealing with attack and defense, just as the military, and there is strategy and tactics in both fields, and military victory—or defeat—is just about as mysterious as computer security or insecurity. I think the military analogy is flawed and unlikely to take us anywhere. What we are doing is different in almost every important respect.
First of all, in computer security we do not engage in battle. A battle, conceptually, takes place between two (or more) of a kind. There may be considerable and obvious asymmetries, such as in guerrilla warfare or when one army has more advanced capabilities than another, but there is no intrinsic asymmetry. In particular, each party involved engages in both attack and defense and combinations thereof.This is not so in computer security, where we have good guys and bad guys. The good guys will never attack, and the bad guys rarely defend beyond the extend necessary to operate a reliable infrastructure. I suspect that most military strategies are pretty useless to someone who cannot attack.
Second, objectives are different, and so are the weapons, tactics, and strategies employed to achieve them. Military conflict is centered around force. The whole point of waging war is forcing our will upon somebody else. This is easy if we are much stronger than our opponent and there are no additional obstacles such as environmental conditions; it is hard, if we are weaker; and it is a matter of luck, intelligence, strategy and tactics when both parties are equally strong. In addition one has to deal with political factors, access to resources, public opinion, and so on, which tend to complicate things.
Computer security is about exerting control over systems, over data and data flow, and over the way data or system behavior are interpreted. One party—the good guys—uses their own resources and the official ways and means of controlling. The other party—the bad guys—employs unofficial ways and trickery to achieve their own objectives, often exploiting somebody else’s resources. Though this may be attempted in a military setting as well, no war has been won by trickery alone, as far as I am aware.
Third, surprise is rare in computer security. We are dealing with computers. They are deterministic (most of the times), even in their vulnerabilities. There are no dawn raids in computer security because a surprise attack does not make any sense. Either a vulnerability can be exploited or it can’t. If it can be exploited, there is usually nothing an alert victim could have done to prevent it, except for closing the vulnerability before someone attempted to exploit it.
Fourth, there are no campaigns, which at some at some point would be won or lost or end in a draw. Rather, computer security is a statistical property of the systems and networks we operate. There are damages from attacks, which we attempt to reduce to or keep at acceptable levels. Damages are often caused by larger numbers of individual attacks. There is no situation where we could claim to have won over some bad guy either unless we are not being attacked at all, for whichever reason. The good news is that we don’t have to win any fight. We only have to protect our systems against trickery and unauthorized exertion of control by others.
To sum up, the analogy between military considerations and computer security is very weak and superficial. I do not see how it could help us to make our computers and networks more secure.
PS: Read this comment as well.