Should Cyber Defense Go On the Offensive?

September 20, 2009 by ADMIN
Share |

By Richard Stiennon, Chief Research Analyst, IT-Harvest

It was May of 2008 that Colonel Charles W. Williamson III first posted his manifesto calling for the US to create a counter offensive DDoS capability with the completely ridiculous notion of recruiting thousands of government network computers to target the source of attacks.

For the record this is silly for several reasons.

  • In a typical DDoS attack the source is distributed across thousands of computers that specifically do not belong to the attackers. So flooding an otherwise innocent computer that could be your grandmother’s does nothing to hit back at the attacker.
  • DDoS attacks are asymmetrical. In order to DDoS thousands of drone machines you would need millions of government computers.
  • Doing anything like Colonel Charles W. Williamson III suggested would DDoS the entire government of the United States since the machines enlisted in this battle would be useless and they would completely clog the networks they were on.
  • The first time such an attack was set off the enemy would immediately become aware of every single computer that hosted the attacking agent, possibly identifying new targets for attack or infiltration.

So you can see that there is no sane way to use government computers to engage in a Distributed Denial of Service Attack.

But, for now I would like to address the question: Should the US engage in cyberattacks?

The National Research Council just published an in-depth exploration of this question in a report titled: “Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities”.

This is one of the most important publications to date on the topic of cyber preparedness and offense capabilities prepared by a committee that spent over a year studying the issue and well worth buying although you can read it online.

Here now are my thoughts on the 22 findings that they highlight:

Overarching Findings

1. The policy and organizational issues raised by U.S. acquisition and use of cyberattack are significant across a broad range of conflict scenarios, from small skirmishes with minor actors on the international stage to all-out conflicts with adversaries capable of employing weapons of mass destruction.

This is an understatement. While the US government has tremendous resources it has never faced a challenge of this complexity.

2. The availability of cyberattack technologies for national purposes greatly expands the range of options available to U.S. policy makers as well as to policy makers of other nations.

From a war fighting and espionage perspective I can see the attraction. But policy makers are not prepared intellectually to use these options wisely. The Internet after all is not a “series of tubes”.

3. Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain.

As demonstrated when Shawn Carpenter discovered and counter attacked cyber assailants who had infiltrated Sandia, Army Research labs, Lockheed Martin, Nasa, and the World Bank.

They shut him down based on an ill-formed, undeveloped, and uncertain understanding of the legal issues.

4. Secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattack.

The Comprehensive National Cybersecurity Initiative is to this day classified. Even though Congress approved over $35 billion in spending and even though Melissa Hathaway spent most of 2009 reviewing it, the public has little knowledge of what it entails.

5. The consequences of a cyberattack may be both direct and indirect, and in some cases of interest, the indirect consequences of a cyberattack can far outweigh the direct consequences.

Ah, the very essence of threatchaos!

Legal and Ethical Findings

6. The conceptual framework that underpins the UN Charter on the use of force and armed attack and today’s law of armed conflict provides a reasonable starting point for an international legal regime to govern cyberattack.

However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks.

I agree that the UN Charter is a good place to start.

Also agree that the “democratization of cyber attacks” ( to paraphrase Alex Karp, CEO of Palantir) makes trying to set rules of engagement for cyber war is going to be ineffectual.

7. In today’s security environment, private parties have few useful alternatives for responding to a severe cyberattack that arrives over a network such as the Internet.

Completely disagree. This is going to be my major finding of fault with this report: that defensive measures are inadequate, therefore offensive measures are justified.

8. Cyberattack poses challenges to existing ethical and human rights regimes.

Privacy, property, and speech to name three such regimes.

Policy Findings

9. Enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States.

Yes! Thank you for saying that.

10. The United States has much to lose from unrestrained cyberattack capabilities that are proliferated worldwide.

Perhaps, though, the projected losses of the power grid, water supply, or communication infrastructure are not so bad because they are likely to be short term.

11. Deterrence of cyberattacks by the threat of in-kind response has limited applicability.

Yes, my point at the beginning of this post.

12. Options for responding to cyberattacks on the United States span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks.

It’s those “kinetic” attacks that will have the most impact. Rambunctious back-hoes and dragging anchors have done more to disrupt the Internet than any other incidents.

Technical and Operational Findings

13. For many kinds of information technology infrastructure targets, the ease of cyberattack is increasing rather than decreasing.

Agree.

14. Although the actual cyberattack capabilities of the United States are highly classified, they are at least as powerful as those demonstrated by the most sophisticated cyberattacks perpetrated by cybercriminals and are likely more powerful.

I am concerned that what might be “classified” is that the US does not actually have cyberattack capabilities. It certainly did not in 2004.

15. As is true for air, sea, land, and space operations, the defensive or offensive intent motivating cyber operations in any given instance may be difficult to infer.

It is a lot easier to determine intent in those other domains than in cyber.

16. Certain cyberattacks undertaken by the United States are likely to have significant operational implications for the U.S. private sector.

Ah, yes. DDoS for one. Is it wise to undertake attacks knowing the collateral damage will exceed even that intended by the advisory? Might not the advisory attempt to incite a response to achieve its objective? Think about that one.

17. If and when the United States decides to launch a cyberattack, significant coordination among allied nations and a wide range of public and private entities may be necessary, depending on the scope and nature of the cyberattack in question.

For some reason this seems unrealistic. But certainly, if attacks were coming from a particular region, a few phone calls to the local carriers and ISPs could stop or mitigate the attack.

18. The outcomes of many kinds of cyberattack are likely to be more uncertain than outcomes for other kinds of attack.

I can imagine some scenarios, as can you. This finding is a good reason to think twice before going down this path.

19. Early use of cyberattack may be easy to contemplate in a pre-conflict situation, and so a greater degree of operational oversight for cyberattack may be needed compared to that for the use of other options.

Taking advantage of the plausible deniability that can be achieved with cyber attacks they could indeed be a low level option; somewhere between recalling an ambassador and putting troops on alert.

Oversight? Tough one.

20. Developing appropriate rules of engagement for the use of cyberweapons is very difficult.

We are going to learn what is appropriate as we go I am afraid.

Organizational Findings

21. Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate today.

Yes, and may be until a new generation of decision makers has moved in: 20 years?

22. The U.S. Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circumstances under which authorization is necessary are at least as uncertain for cyberattack as for the use of other weapons.

My advice is for democratic nations to stay back from the cyberattack scenario for now.

There are already continuous attacks going on around the world from dozens of countries, hundreds of groups, and thousands of individuals.

If everyone starts resorting to attacks, things will get messy very quickly.

On page 1-4 of this publication the committee states: “ The inadequacy of passive defense suggests that the national debate over cybersecurity necessarily includes a consideration of attack options for defensive purposes.”

I believe this is the primary flaw in the findings of this committee.

Yes, US Federal Agencies and the Defense Department have inadequate cyber defenses, but the course of action should be to beef those defenses up, not to resort to cyber attacks as some sort of deterrent.

The biggest deterrent to a hacker has always been the late night knock on the door.

What is needed urgently is

  • Better defenses. These are readily available in the private sector. The problem is that the US has not deployed, turned on, or properly configured the technologies needed to counter intrusions, exfiltration and denial of service attacks.
  • Better counter espionage. By back-hacking the attackers, evidence of their identities could be used to engage in diplomatic, economic or military sanctions.

Is the best way to counter the rise of bike gangs in Canada for the government to create a rival bike gang? No. Is the best way to counter Somali pirates to develop piratical abilities? No. Is the best way to fight biologic weapons to develop more virulent pathogens? No.

The best way to counter cyberattacks is with cyber defense.

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Richard Stiennon, Sarbanes-Oxley, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy, virtualization 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

One Comment on Should Cyber Defense Go On the Offensive?

  1. Stop DDoS and Worms at ISP Level? | The Shivling on Mon, 21st Sep 2009 10:48 am

    2. [...] service consists of a cloud-based solution.  Which brings me back to the idea that, since counter-attack is kind of a silly idea when you’re fighting 100,000+ hosts, (plus, do you really want [...]

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!