Schneier on Security
A blog covering security and security technology.
« Wanted: Skein Hardware Help |
| Successful Attack Against a Quantum Cryptography System »
September 2, 2010
Cyber-Offence is the New Cyber-Defense
This is beyond stupid:
The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas—but it is still wrestling with how to pursue the strategy legally.
The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of adversary information systems" and that can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents.
But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries' sovereignty.
"Some" officials are questioning it. The rest are trying to ignore the issue.
I wrote about this back in 2007.
Posted on September 2, 2010 at 7:33 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Only one thing to say:
Too bad it really isn't funny.
later somebody will come up with a genius idea of premptive strike doctrine
Well, the Chinese seem to have solved these issues. I was literally being attacked about 10-15 times a day from China hosts on my home UNIX machine. Complaints to ISP's are ignored, and action (apparently) is never taken.
Maybe we need to look at how they do it :)
I finally blocked all the chinese subnets in my firewall, because I was sick of the attacks.
"Though officials have not clearly defined the term and no consensus exists on what it means, Lynn has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks."
We must spam them over there so that they do not spam us at home!
""We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us," Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month."
Yes we do! And those were traditionally called "bombs" delivered by "aircraft" or "missiles".
"The command - made up of 1,000 elite military hackers and spies under one four-star general - is the linchpin of the Pentagon's new strategy and is slated to become fully operational Oct. 1."
So we'll be seeing real improvements in consumer OS security from those "elite military hackers", right? No, of course not.
"Another senior defense official said, "I think we understand that in order for us to ensure integrity within the military networks, we've got to be able to reach out as far as we can - once we know where the threat is coming from - and try to eliminate that threat where we can.""
Vulnerable is vulnerable. Just because you spam someone's blog first does not improve the security of your system.
"The military's dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established."
A web site. Just a web site. And you still bungled it.
I hereby coin the term 'Cyber Rattling'.
Does anyone here really believe that we don't already do this. Take a look at the Navy Center for Information Dominance. Guess what they do...
Yes, this is bad-- but the U.S. government already adopted the general policy of directly 'terminating' the lives of American citizens overseas ... who are merely "suspected" of terrorist activity, with no legal or judicial due process whatsoever.
This internet threat issue is trivial compared to the vast threat we all personally face from unchecked Potomac power.
The underlying political problem is far, far worse than mere stupidity about cyberspace.
Makes me remember a talk by PaulDotCom.com at a Hackfest event last year.
The talk "Offense is the new defense" was not aimed at retaliating directly to intruders but more focused on annoying the hell out of them by making them waste precious time and resources dealing with weird protocols response and other legal stuff.
All that while keeping your data safe. There are ways to retaliate without crossing borders.
This stems from aggressiveness, big sticks and tiny brains. It may also be a bit of a cultural thing that compels especially Americans to see use of violence, and especially killing people, as a promising strategy, regardless of the actual situation. May be one reason why the US is so universally disliked.
As far as I'm aware the American 'war doctrine' since WWII ended has been to attack little guys (or atleast that is what Right Wing Mil thinking has been).
Just about every time the US military has been used since WWII it has been detremental to US interests.
Why do I therfore have a sense of forboding about this stupidity.
Here in the UK, we rely on the relatively unsophisticated techniques employed by UFO nutjobs like Gary McKinnon to bring foreign countries to their knees.
They say people in glass houses shouldn't throw stones. Or leave servers exposed to the internet with poor password security. Or communicate with little green men.
US strategy is to overthrow democracies if they are not wholly owned buy US. it worked so well in iran in 1953. We just cant understand why it backlashed a generation later after we appointed a former CIA director to help the shah run his fief. Governments of National Security was the strategy and still is, strong caudillos all over latin america trained in the school of coups, Karzai and who ever will rise to be the big warlord of iraq in about ten years will have a big paycheck from the US taxpayer to put away in swiss banks for that day when democracy, revolution or people power rises against the puppets.
So are these preemptive strikes going to be limited to "military" targets? LOL
How can the U.S. Government ever justify taking out zombie home and business computers residing in a foreign country? Will it be okay for other governments to take out zombies in the U.S?
This is another example of how to set a bad example. =/
Going beyond the politically belittling comments, I'm not sure what is so stupid about trying to figure out how to strike back at an attacker, cyber or otherwise.
I don't think this would be technically or politically feasible in a peacetime situation as part of "active defense", but if the US goes to war with another country, I certainly hope that the military has some plan on how to degrade their network infrastucture beyond dropping bombs.
What is stupid is that it isn't "striking back" if you hit first.
Since (as the linked article states) there isn't even a definition of "active defense", people are justly concerned. Having effective rules of engagement in an area where even rudimentary terms lack a commonly-held meaning is a prescription for a massive screw-up.
What a coincidence, I'm contemplating an aggressive approach to defending my girlfriend's honor by tearing off that leering guy's head and pooping down his neck. I am also still wrestling with how to pursue the strategy legally.
"The command - made up of 1,000 elite military hackers and spies under one four-star general"
All certified in the art of hack foo.
Come on, these statements really are ridiculous.
"One senior defense official said that active defense is akin to being in a battle zone"
That's exactly the problem. They don't understand that the internet is not a battlefield. The good guys and the bad guys are all mixed together. It's the problem with leaving cyber defense to the military, the only response is to bring the big guns instead of the most appropriate solution.
The sad thing is we end up paying for all of this.
This has already happened. All those "accidentally" cut undersea cables. The Ericsson wiretapping incident in Greece, and the similar one in Italy that led directly back to the CIA. Both incidents notable for the "suiciding" of key telecommunications personnel. Anyone who thinks they're not willing to break international law even up to the point of murder is living in a dream world.
There's no doubt in my mind that they've done this already. Good example is WikiLeaks. Leaked classified pentagon documents discussed disruption of service, infiltration, network analysis and subversion of whistleblower websites as early as 2008.
No surprise is it, since it's main objective seems to be offense, rather than defense. -Hinting to offensive wars. If they can't do it legally, they try to do it lawfully. When that fails, they just concoct a feigned reason to go to (Cyber) war.
Notice massive amounts of fabricated fear mongering about Cyber criminals lately; grooming people to another ill-scheme of offense, and conditioning people to give up (even) more liberties.
Maybe they could design a system that first copies all the content from all the computer systems around the world. That way, they'd have a "back-up" of everything just in case they accidentally erase the wrong information. It's the least they could do.
"That's exactly the problem. They don't understand that the internet is not a battlefield."
But this is more like "marketing by analogy" than anything else.
The brass wants funding so they throw some military verbiage and bad analogies around and Congress throws money back.
A better analogy for "blogo-war" would be a video game.
You have purchased network upgrade "badly configured firewall". This can be combined with the "competent admin" personnel upgrade to achieve "correctly configured firewall". The "correctly configured firewall" achievement provides +5 vs enemy blogo-probes and negates any tech level 3 or lower attack on protected resources.
But that doesn't sell book tours, does it? Not like machine guns and blogosphere 9/11.
"1,000 elite military hackers "?
"Elite military hacker" is the same as "military intelligence", i.e., an oxymoron.
"Maybe they could design a system that first copies all the content from all the computer systems around the world. That way, they'd have a "back-up" of everything just in case they accidentally erase the wrong information. It's the least they could do."
If I remember correctly, that was the plan in "Live Free and Die Hard", to copy the entire wealth of America into a bunch of servers - conveniently for the guy who designed the system who intended to rob those servers.
Besides, the military doesn't do anything "accidentally" - it's called "collateral damage" - and they know precisely when they do it and they don't give a damn because the "collateral damage" aren't Americans.
I enjoyed Richard Clarke's commentary, presumably in response to this news, based on stills from "Dr. Strangelove":
"Deterrence is the art of producing in the mind of the enemy...the fear to attack. It's that the point of the doomsday machine...is lost if you keep it a secret. Why didn't you tell the world?"
Haha, exactly right!
I have the occasional disagrement with Brandioch Conner on nitty gritty technical points.
However when it comes to "the great appropriations game" that our supposed betters (in their viewpoint ;) play, we could easily be accused of "singing from the same song sheet".
What scares me is that these "empire builders" have to "prove" that they are needed every once in a while to avoid being accused of "chicken little" or "crying wolf" behaviour.
For instance over the past thirty or fourty years the US millitary has tried to provoke war with North Korea. Thankfully untill recently they have not been successfull. Sadly though the line appears to have been recently crossed (N.Korea has been accused of torpedoing a S.Korean vessel in disputed territorial waters).
The two important question are, what is the US involvment with the issue, and will it escalate.
Ran Ghostery add-on here. No trackers...thanks Bruce!
For some reason, this reminds me of the Monty Python spoof martial art Llap Goch: "an ANCIENT Welsh ART based on a BRILLIANTLY simple I-D-E-A, which is a SECRET. The best form of DEFENCE is ATTACK (Clausewitz) and the most VITAL element of ATTACK is SURPRISE (Oscar HAMMERstein). Therefore, the BEST way to protect yourself AGAINST any ASSAILANT is to ATTACK him before he attacks YOU... Or BETTER... BEFORE the THOUGHT of doing so has EVEN OCCURRED TO HIM!!! SO YOU MAY BE ABLE TO RENDER YOUR ASSAILANT UNCONSCIOUS BEFORE he is EVEN aware of your very existence!" and later promises "entire panzer divisions will melt to pulp as you master every situation without INADEQUACY"
So since when does the USA subscribe to and respect international law?
Why not proactively go after the tools used by the adversaries, namely unsecured, unpatched MS Windows installations?
Force MS and Apps makers to provide timely auto-update and free, open download of all patches fixes. As also quarterly service packs that bundle all fixes since the last one... Even more important for unlicensed installs...
I know it's an old idea, but we seem to get lost in the metaphors.
As many others have said, a war involves the use of arms and physical harm. Real-world stuff, not virtual, and it's kind of a prerequsite. Stealing ideas is espionage. Stealing money is fraud (or commerce, depending on your philosophies). Even espionage that eventually leads to harm is still espionage. At the very worst, espionage can be used to justify going to war -- casus belli -- but it is not war itself. Literal war involves force of arms.
Sure, I use metaphors all the time. They help illustrate difficult ideas with simpler analogues. The problem is that we get so literal-minded about the whole thing. The war on poverty was an exaggeration. The idea was to start a strenuous campaign, not to authorize artillery strikes.
We're talking about information packets on a wire. This is not physical harm.
The concept of a thousand elite military hackers is, shall we say, odd.
At low levels, military training is largely to get the soldier to behave in a certain way without thinking. Since a modern battlefield can shock the rationality out of anybody, this is key to one of the military's main functions.
At higher levels, there's tactical doctrine. This is a marvelous development that allows officers and NCOs at all levels to apply initiative and ingenuity while doing exactly what their superiors want and expect. It makes a military unit much more effective. It's based on expected results from doing fairly simple things, and is developed from testing such things in training, maneuvers, and actual war.
With such tools does the US Army approach Clausewitz's dictum that "In war, everything is very simple, but the simplest things are very difficult." This makes the US Army extremely effective.
Now, what of the above looks like it applies to hacking into enemy computer systems? A soldier who does rehearsed things mindlessly can be very effective in combat, but in cyberwar* can be replaced by Aunt Polly's poorly maintained Windows box, with Aunt Polly knowing nothing of it. Doctrine is a much looser affair, but it is based on tested outcomes and doesn't apply well to cyberwar.
Cyber-Clausewitz might well say, "In cyberwar, everything is very complicated, but complicated things are very easy."
The Army does try to inculcate things like determination and aggressiveness that will serve well when firmly ensconced on the front lines in a comfortable chair with plenty of cold Mountain Dew available, but a large part of what it does is completely irrelevant, and insofar as it infuses military culture (and it really has to, to keep the Army supreme on the battlefield) it will hinder the attempt to train cyberwarriors.
Personally, I think they'd be better served with civilian contractor cyberwarriors.
*No, I don't know what cyberwar means either. However, whatever it is, what I say about it should remain true.
@ Colin J Cassidy
"I hereby coin the term 'Cyber Rattling'."
Win. Collect your prize. :-)
Premptive attacks in the cyberworld, taking the fight to the enemy, seems like I heard those terms before. All you have to do is look at the mistakes made in the war on terror. Blowing up wedding parties, birthdays, schools the list goes on. To let this same group start doing this in the cyberworld behind a veil of secrecy is ludicrous. What happens when the government's offensive attack takes down a hospital computer system, traffic control system, or a payroll system in this country or one of our allies. Will the government come out and take responsibility or hide behind the secret veil? Maybe they can call it collarteral damage, the ends justify the means. As a citizen of this country are we going to let our computer networks be attacked by a organization that has a problem with personnel downloading and viewing kiddie porn on their office computers at the pentagon!
Re Llap Goch above: This is the ninja philosophy: Live your life so you have no enemies. But if circumstances are going to make someone your enemy, become his friend before he realizes this, then poison him.
By this philosophy, we need to poison the US military, or better yet, the military-industrial complex (which is why we HAVE the US military we have.).
Works for me.
Well, there is an obvious problem that in peacetime you simply don't know who is responsible for the attack. So you can't really do any counter-attacks or preemptive strikes (unless you consider DDOSing random botnet PCs to be proper response, but just random, useless collateral, obviously not doing attacker any hurt). In peacetime operations, the whole point is moot.
In war, however, having offensive capability makes much sense. You cannot stop or prevent attack (unless you're determined enough to nationalize Microsoft and put their security managers to execution squad), your only real defense is going to be MAD doctrine: You fuck up our civilian systems, we will fuck up yours.
Like nukes, but with less mushrooms and radiating stuff.
Since cyber attacks can inflict significant damage, these attacks---even if committed by non-state actors---could legally be considered acts of war. For a fascinating and carefully reasoned discussion of this issue, see"Responding to International Cyber Attacks as Acts of War" by Lieutenant Commander Matthew J. Sklerov in chapter 4 of the book, Inside Cyber Warfare (ISBN 9780596802158).
@ bruce. Its been a couple of days since I could post anything. Not looking so good. I've got spam and hacks messing with me so I can't broadcast my problem. And its worrs- before I was writing in the IT Post. Bare with me annd the typing that' s them. They keep pulling me off the web. Yes still have 40+ DOD certs in my device along with the gsacac smartcard they can't retrieve . I turn the phone off and pull batt. I believe I'm right about my finding so far and yes CISCO is part and QUANtUm and LUCENT. Are all being you through static IP my info is already known to them and thet have threated me and mine. I believe I know now why me my "family member " I'm scared to say who - want to protect but works at Lackland AFB in the cryptologic center on security hill and a budget analyst there. Highly security badges to get in and the place who dishes thes cac's out to everywhere..(he only facility of its kind. So yes ..real problems here too much for me to endure . I've been pulled from everysite imaginable that could helo and phone calls are a nil too. They want their info back . My texts emails popup with Chinese symbols....look into ninja interface ware too found inside my devie mmmgot to go
One more thing. Nuance voicr recogition has role in this. Can't get it off or away from anything I do. All phone calls double too and texts emails they no all it stats with voice
The DDoS attack (July 2009) against U.S. and South Korean government websites illustrates the intelligence gathering challenges involved with identifying the source of cyber attacks (and therefore determining who to counter-attack). Though all initially blamed the North Koreans (DPRK), it was ultimately discovered that the master server (controlling some 167k bots in 74 countries) was located in the offices of a legitimate company in Brighton, UK---it being in turn controlled , via VPN, from a Latin American business partner's machine in Miami, Florida. "A key component of [the]...malicious attack was hosted not inside the borders of a known adversary but within the United States itself. This phenomenon has not been adequately addressed or even considered in any of the legal arguments...that make a case for a preemptive first strike or even nuclear deterrent against the initiators of a cyber attack." Ref. Cyber Warfare, pp. 77-80, ISBN 9780596802158
Actually, after reading a German article that mentioned the subject, there did not necessarily seem to be a limitation to cyber attacks... "attacking" could also refer to starting a physical, non-virtual war. Cf.
http://www.heise.de/newsticker/meldung/... (at the end).
Which is the stupid part, that they are trying to stop attacks by stopping the attacker or the fact that they are in fact doing nothing because they are afraid of the lawyers?
Bruce -- you should be more clear.
An analogy is having soldiers being fired upon by bad guys and then determining that a good idea would be to shoot the bad guys rather than stay hunkered down forever. But instead they just argue all time about who the attackers are and who might be affected by retaliating.
One of Clarke's assertions is that we need to stop playing defense and go on the offense. One of my own flights of fancy (okay, I'm a novelist with the beginnings of an idea) is that pursuant to US Constitution Article 1 Section 8 the Congress authorize bonded cyber privateers and make security really profitable (see www.TheMorganDoctrine.com). The idea is still rough, so don't throw out the baby with the bath water, but privateers substantially financed and won the Revolutionary War.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.