CYBEREYE—Commentary

U.S. needs to be cautious in asserting its intention to defend its cyber turf

If we don’t know who is attacking us and why, we run the risk of escalating minor incidents with inappropriate responses

Halfway through the Obama administration’s comprehensive review of the nation’s strategy for cybersecurity, the process is being second-guessed by experts and commentators of all stripes. Phrases such as “digital 9-11” are being used freely, and there are calls for the government to issue the cyber equivalent of the Monroe Doctrine, giving would-be trespassers notice of our intention of defending our cyber turf.

This sounds good. Who wouldn’t be in favor of self-defense? But we need to be careful about making such assertions when we really do not know what is going on.

For several years, there has been a drumbeat of reports of violations of government and corporate IT systems, apparently seeking classified and proprietary information. Sometimes they appear to be coordinated, and some have been tracked to apparent sources in other countries, most notably China. Our military has announced it is developing cyberwarfare capabilities, in part because it assumes other nations are developing them as well. It is an easy to step to assume that these intrusions are part of such an effort by hostile nations.

But the fact is, we do not know where these “attacks” are coming from or who is behind them. It could be hackers, it could be organized criminals, it could be terrorists, and it could be foreign governments. Or it could be some other category we have not yet considered.

These distinctions matter, because our response to any incident should depend on the nature of the incident. The last administration’s failure to distinguish between a terrorism incident and an act of war led to tragic results from our response to the 2001 terrorist attacks. In cyberspace, we need to be able to distinguish ill-advised curiosity from hostility, and nation-states from individuals or nongovernmental organizations.

Amit Yoran, former director of the Homeland Security Department’s National Cyber Security Division and now chief executive officer of NetWitness Corp., summed up this challenge in his testimony last week before the House Homeland Security Committee.

“There is a clear and distinct conflict of interest between intelligence objectives and those of system operators,” Yoran said. Simply put, information assurance is about quickly spotting, stopping and recovering from an incident. Intelligence is about monitoring and learning about the incident. “For instance, intelligence and law enforcement entities often prioritize attack attribution, while almost no emphasis is placed on attribution by those defending systems.”

Because of different aims, intelligence and defense are in some senses mutually exclusive. “Rather than sharing information with operators and better informing them as to how they can defend and monitor themselves, an intelligence community centric mindset around cyber would limit information exchange and instead focus on enabling the intelligence community to perform an expanded and aggregated monitoring program.”

So we cannot rely on intelligence capabilities to provide tactical cyberdefense, but these capabilities are necessary for strategic policy. Unfortunately, we do not yet have the cyber intelligence capacity to inform a comprehensive cyberstrategy. Until we do, we should be careful about establishing doctrines we cannot adequately enforce.

It makes a real difference to our response whether the guy behind the offending computer is wearing a Chinese uniform in Beijing, eating cheesey poofs in his mother’s basement in Dallas, or is a Russian criminal working in Bangkok. One we might want to put in jail, another we might slap on the wrist, and another we might want to take offline with “extreme prejudice.”

Foreign governments might not like it if we attack their cyber turf in retaliation for a misperceived attack, and that could put our own turf at greater risk. So before we put anyone on notice, let’s make sure we know who we are talking to and what that notice should be.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Mar 24, 2009 dio ether

The fact of the matter is that our current responses to cyber espinage and cyber crime has been inherently ineffective. We are getting convictions for events that happened like 3 years ago in the IRC bot days. There has been almost no traction in the intelligence and enforcement sides with regard to cyberespionage and some of the most damaging threats such as spearfishing incident with regard to actually outing those responsible or conducting innovative research into attribution and retribution against these attacks. The real problem is that we assume that our systems are "securable" on which we operate critical enterprise operations. Bottom line, if it runs code it can be broken, and that includes firmware and hardware. See invisiblethings.org for hardware level attacks. The NSA should have the capability to run offensive cyberoperations against malware infrastructure and black ops against cybergroups, but if it was actually effective it would leak out. IE malware author disappears, systems and forums are wiped, destroyed with no trace of what happened, malware gang members getting caught in stings, rolling on each other, the sowing of discord, paranoia, and distrust among cybergangs due to operational efforts to impact their operations. All of these things are doable with resources and expertise. Whether they are being done or not is another story. Actions such as these do not come out of hierarchical command and control organizations, they come out of resourced decentralized networks with a common goal and a freedom to act. If properly constructed and run, it is very possible to conduct offensive cyberoperations against fleshware as well as infrastructure enabling much of this malware activity. Do not believe for a second that you cant due to malware using P2P networks, proxies, stenagraphy, or encrypted tunnels. There are targets that can be subverted, infiltrated, attacked and neutralized. There are Internet Governance mechanisms that can be tweeked to drain the vulnerability surface that our systems are exposed to. IE DynDNS, SecureDNS, fastflux, ectera. For more on research into these though memes on Hacking Security Constructs go to www(.dot)conanthedestroyer(.dot)net Dio

Wed, Mar 18, 2009 Dave

While people’s harts are in the right place, attacking a site that an attack came is not a good idea. Most attacks on USGOV sites come from third party computers. Sometimes these third parties are in other countries. Attacking the other country or these third party computers is really dangerous. What if the third party computer is a baby monitor and a baby dies as a result. What if the third party computer controls a waste treatment plant? Think about the bad PR and the lawsuits. While I think it is just as stupid to put critical systems like baby monitors and waste management systems on the Internet, the fact is it’s done. We simple can't just attack back blindly.

Tue, Mar 17, 2009 Jim M Pensacola

Defense-in-depth, as all are trying to implement for cyberwarfare, depends upon maneuvers to which the contact's response often reveals his intention. Unambiguous warning is provided tactially if possible when the threat approaches too closely. Detection is the first step, not he last; intelligence and operators have learned how to use each other well and as tools improve will do so in cyberspace. Policy statements regarding the right and intention to defend are made well in advance of action.

Tue, Mar 17, 2009

As citizens of the U.S. we give up some of our personal security for the sake of freedom. As we have embraced the internet, e-business and social computing our net-life has merged with our real lives – personal and business. We must approach cyber security with the same balance as we do in the physical world. We simply don’t throw folks in jail for incidental trespassing – nor should we throw someone in jail, nor heavily fine them, for the cyber equivalent. Our goal should be the proper and measured response to those intrusions with real malicious intent without starting another arms race.

Tue, Mar 17, 2009

Another ditto for Mr. Anthro. Did we all not learn in childhood that "curiosity killed the cat"? And hackers should not be immune from that metaphorical outcome either. All hackers, curious or malicious, are essentially mini-terrorists who do not make any positive contribution to society and should be treated as the lowlife criminals they are. Just as airport security has become so unpleasant after the terrorist attacks, our lives are already negatively impacted (having to load and maintain updated antivirus software, etc). Better to offend the "curious" few than inconvenience the innocent masses, or worse, suffer the consequences of a coordinated attack because we were so fearful of offending someone that we failed in defending ourselves.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above