Friday, May 21, 2010

Missiles vs. Bytes - Appropriate Response to "Cyber War"

It's incredible the level of misunderstanding of the world of the Internet.  I don't dare say "cyber-space" because I've gotten to the point where I'm nauseated every time I hear someone pre-pend the "cyber" in front of words that are ordinary.

My news feed has been flooded with articles like this one (Pentagon Says Military Response to Cyber Attack Possible) which when taken with the FUD & panic glasses off make absolutely no sense.  What's worse is that there are quotes from various Washington leaders like this one:

Asked about the possibility of using military force after a cyber assault, James Miller, undersecretary of defense for policy, said: "Yes, we need to think about the potential for responses that are not limited to the cyber domain." []
This type of thinking is very dangerous because, as the article goes on to say, we don't even quite have a handle on what would constitute an "act of cyber-war".  There are other problems with trying to use missiles to retalliate against bits too...

I think there are 2 glaring problems with the whole idea of identifying and declaring "war" on the Internet.  In order to be able to declare war - there has to be a clear definition of an "act of war".  We can almost define that in the real world.  Cornell has a pretty good definition of what constitutes an act of war ... but there is no clear understanding of how bits and bytes can be used to declare war, or even show international aggression.

Launching a DDoS is not equated to launching an ICBM, and no one in the international community will argue that it takes a physical act of aggression to actually start a war ...right?  War is a serious thing.  Lives are lost, misery and destruction follow.  These cannot be taken lightly in spite of some people's notions to the contrary.  The point here is that even something as serious as a successful attack against a power grid most likely wouldn't be considered an act of war, at least not by current thinking.  Physical destruction and the loss of life along with a threat to sovereignty would still likely be required to draw a military retaliation.

The other and perhaps more serious problem with this line of thinking is this - how can you be 100% sure that the purported attack is in fact originating from the nation-state?  If those of us in Information Security have learned nothing else about the way that attackers work - we've at least learned that attackers tend to like to use someone else's system/network to originate their attacks.  If I am North Korea, just as an example, and I want to attack the United States over the Internet I would naturally first stealthily compromise hordes of systems in, say, China.  I would then use those systems as launch-points for the attack against the US, and thus most likely avoid blame.  Also, in today's highly connected, distributed world of the Internet an attack would likely originate from thousands of sources globally which would make it nearly impossible to track.

So what are our political and military leaders saying, exactly?  Would the next GhostNet prompt a nuclear strike against China?  And if that's the thinking, how would that be justified to the International community?

There is a lot to consider, and while there is no true anonymity on the Internet, it is very possible to create such a complex attack (after all, any attack of this nature would necessarily be complex) originating from multiple locations and cloaked by zombie systems - that it may even be possible to trigger a "retaliation war" between 2 nations which really have nothing to do with the action - and that is my true fear.

So before you jump on the "cyber war" bobble-head bandwagon and start to echo the clearly clueless about how it's conceivable a military strike could be effective against "cyber war" ...please, think.  Your children's lives may actually depend on it.

...and remember - Friends don't let friends espouse 'cyber war'

No comments: