Cyber-Attack

Last month Marine General James Cartwright told the House Armed Services Committee that the best cyber defense is a good offense.

As reported in Federal Computer Week, Cartwright said: “History teaches us that a purely defensive posture poses significant risks,” and that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests.”

The general isn’t alone. In 2003, the entertainment industry tried to get a law passed giving them the right to attack any computer suspected of distributing copyrighted material. And there probably isn’t a sys-admin in the world who doesn’t want to strike back at computers that are blindly and repeatedly attacking their networks.

Of course, the general is correct. But his reasoning illustrates perfectly why peacetime and wartime are different, and why generals don’t make good police chiefs.

A cyber-security policy that condones both active deterrence and retaliation—without any judicial determination of wrongdoing—is attractive, but it’s wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment.

In warfare, the notion of counterattack is extremely powerful. Going after the enemy—its positions, its supply lines, its factories, its infrastructure—is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty.

Both vigilante counterattacks, and pre-emptive attacks, fly in the face of these rights. They punish people before who haven’t been found guilty. It’s the same whether it’s an angry lynch mob stringing up a suspect, the MPAA disabling the computer of someone it believes made an illegal copy of a movie, or a corporate security officer launching a denial-of-service attack against someone he believes is targeting his company over the net.

In all of these cases, the attacker could be wrong. This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you. Just because my computer looks like the source of an attack doesn’t mean that it is. And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too. The goal of a government’s legal system is justice; the goal of a vigilante is expediency.

I understand the frustrations of General Cartwright, just as I do the frustrations of the entertainment industry, and the world’s sys-admins. Justice in cyberspace can be difficult. It can be hard to figure out who is attacking you, and it can take a long time to make them stop. It can be even harder to prove anything in court. The international nature of many attacks exacerbates the problems; more and more cybercriminals are jurisdiction shopping: attacking from countries with ineffective computer crime laws, easily bribable police forces and no extradition treaties.

Revenge is appealingly straightforward, and treating the whole thing as a military problem is easier than working within the legal system.

But that doesn’t make it right. In 1789, the Declaration of the Rights of Man and of the Citizen declared: “No person shall be accused, arrested, or imprisoned except in the cases and according to the forms prescribed by law. Any one soliciting, transmitting, executing, or causing to be executed any arbitrary order shall be punished.”

I’m glad General Cartwright thinks about offensive cyberwar; it’s how generals are supposed to think. I even agree with Richard Clarke’s threat of military-style reaction in the event of a cyber-attack by a foreign country or a terrorist organization. But short of an act of war, we’re far safer with a legal system that respects our rights.

This essay originally appeared in Wired.

Tags: , , , , ,

Posted on April 5, 2007 at 7:35 AM50 Comments

Comments

Eli April 5, 2007 8:16 AM

(previously posted as a comment on the Wired article.)

It would be better to elaborate about how difficult it is to know from where an online attack is coming than to go off into irrelevant humanitarian and moral directions. If someone were attacking my computer, and I could be 100% who and where he is, why shouldn’t I try to remove the threat?

But 100% assuredness is not the case. Not only is it hard to tell where they are, but cyber attacks are cheaper than military attacks — the same attacker can set himself up just as easily in a different location. This has nothing to do with peacetime vs. wartime, and it can quickly turn into resource-creep spent on a wild goose chase.

My conclusion would be: fortify your defenses and spend those resources on hardening your system, instead of chasing after ethereal enemies.

A Nonny Mouse April 5, 2007 8:24 AM

Why are you quoting the Declaration of the Rights of Man-a document which was, until the creation of the Soviet Constitution, one of the greater exercises in government cynicism, ever.

How about quoting the US Constitution? While it’s unfortunately tending down the same road as the Declaration of the Rights of Man, it didn’t start that way.

Amendment V

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Amendment VI

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

Ale April 5, 2007 8:37 AM

Every time I read of these “retaliatory” techniques, I am reminded of the animal immune systems. These can be subverted by channeling the response against the organism itself: this is in very basic terms how allergies and self-immune diseases work. Thus, if any government deployed cyberwarfare infrastructure poised on retaliation, it too could be used to bring the internet to its knees by just trigerring it in an appropriate fashion. Moral issues aside, I think automated retaliation systems are exploitable and thus, a bad idea. And non automated systems cannot even hope to react in timescales comparable to automated attacks.

Colossal Squid April 5, 2007 8:43 AM

FCW link is dead (14:37 BST)
Someone seems to have pre-emptively taken out their SQL Server.

Stephan Samuel April 5, 2007 8:44 AM

Clearly there is a difference between wartime and peaceful existence. I would argue, however, that since we’re invoking the US Constitution (or other related documents) and opinion of US Marine generals, we ought to give the US Congress the right to declare war on cyberattacks.

In my opinion, the biggest problem that faces the Internet today is the proliferation of spam. It used to be email, but now it’s instant messaging, blogs, wikis, and anything else not CAPTCHA-protected. Since cyberspace is organized differently from the physical surface of the Earth, should Congress declare war on “all the spammers,” after which we let the military loose on them? Certainly, identifying a spammer is easier than identifying an enemy in the “war on drugs,” or the “war on terrorism.” The military is well trained at seeking, identifying and eliminating threat targets. Negotiating and legislating hasn’t worked. Maybe it’s time we assemble a governmental militia of crackers and give the NSA a chance at holding up the front line.

The problem isn’t as simple as “the best defense is a good offense,” but like most things in life it’s also not as simple as, “peace not war.”

vwm April 5, 2007 9:01 AM

@Samuel: “Certainly, identifying a spammer is easier…”

It isn’t.

And, pray tell, why do you believe military forces to be more effective in catching criminals than the police?

Spider April 5, 2007 9:02 AM

What is the limit of self defense?

Does that mean hiding behind your firewall and routers in the event of an attack, or should you be able to shutdown the attacking computer?

Regardless of who ordered the attack, I think you should be able to temporarily disable an attacking computer, using a method that would be easiest to reverse.

If I detect an attacking computer, there should be mechanisms in place to contact the isp and have them contact the owner and/or block the malicious traffic from the computer.

The courts move too slowly to work against the constantly changing threat. There needs to be a internationally agreed upon protocol for dealing with these situations. ICANN, I’m looking in your direction.

HmD April 5, 2007 9:14 AM

“Regardless of who ordered the attack, I think you should be able to temporarily disable an attacking computer, using a method that would be easiest to reverse.”

What about a 500k strong botnet? What about a distributed reflection attack?

Finding who to retaliate against is a very tricky business.

h2odragon April 5, 2007 9:17 AM

Even if your computer is a zombie; dont you bear some responsibility for it and whatever attacks it originates? If my unsecured firearm is used in the comission of a crime, doesnt the law nail me for not having a trigger lock on it? (perhaps not in my jurisdiction, thankfully, but the principle sounds familiar).

If the owners of superfund sites can be responsible for acts that were criminalized later, does the principle hold to the point where we can sue AOL for the pollution they unleashed on usenet?

Maybe we need more time, and less restraint, for the “wild west” vigilante justice to work out some acceptable examples and counter-examples. The legal system hasnt the knowledge or the guidence from lawmakers to seek justice for most computer crimes, in any logical way.

merkelcellcancer April 5, 2007 9:36 AM

Yes, general, launch that cyber missile and watch it do a U-turn to launch an attack against our systems.

Bruce Schneier April 5, 2007 9:47 AM

“It would be better to elaborate about how difficult it is to know from where an online attack is coming…”

I thought that was a bit too obvious. Everyone talks about how hard it is to identify the source of an attack. I mentioned it in passing; that seemed to be enough.

“…than to go off into irrelevant humanitarian and moral directions. If someone were attacking my computer, and I could be 100% who and where he is, why shouldn’t I try to remove the threat?”

Because it’s illegal — and it should be illegal. (That’s why I focused the essay on that part.)

Greg April 5, 2007 9:47 AM

@Spider

There is, is called a telephone. Call the ISP (which can be determined via a whois) and tell them the problem. They check the web trafic, and stop the account and notifiy the person, and take whatever action they deem needed.

We have done this quite a few times and even when the ISP’s are in other countries we have found this to be effetive. Its the best security respone.

Even when we had problems with some guy spamming a fourm with porn via a Anonymizer. We contacted the Anonymizer site (in another country) and informed them of the problem. We never got another peice of porn on the site.

Bruce Schneier April 5, 2007 9:48 AM

“Why are you quoting the Declaration of the Rights of Man-a document which was, until the creation of the Soviet Constitution, one of the greater exercises in government cynicism, ever.

“How about quoting the US Constitution?”

I quoted the former because it was more international. Of course, both documents — and a bunch more besides — serve to illustrate the point.

avery April 5, 2007 10:16 AM

Following your logic h2odragon, doesn’t the owner of every web server between your infected computer and the target of some zombie master also bear some responsibility?

Given the calm rational and tech savvy that government security types seem keep demonstrating, I imagine a system that can’t tell the difference between a denial of service attack and someone playing World of Warcraft and a policy not dissimilar from summarily executing the crew of the Nimitz because someone didn’t properly shut the door to the radar room.

Peter Pearson April 5, 2007 10:17 AM

Bruce, if you’re going to spend hundreds of words scolding General Cartwright for advocating the use of cyberattacks in peacetime, shouldn’t you at least establish that he has advocated same? All you do is quote his advocacy of having a capability, which is not at all the same as advocating its use in peacetime.

Mike Sherwood April 5, 2007 10:22 AM

The difference between wartime and peacetime tactics is interesting. In a traditional shooting war, both sides get together and go through a process of agreeing to throw a war. One side makes demands and the other either capitulates or resists, the latter being the justification for the eventual war, regardless of how reasonable the original demands were.

On the internet, the attacks are more like terrorism. It’s not like IBM and HP executives meet and sign a declaration of cyberwar and agree to certain conditions for a reasonable and humane cyberwar. There are no rules or boundaries and the victim only knows they are a victim after the attack has started.

Random individuals or groups attack other individuals or groups for various reasons. Whether the reasons are political or monetary are usually unknown to the victim. The legal option of pursuing an attacker is very expensive and time consuming, making it effectively unavailable to the vast majority of victims. The lack of reasonable recourse as a victim is what leads to vigilante action being considered a reasonable response.

The problem is that attacks on the internet are usually false flag operations. The entity initiating the attack makes it appear to come from somewhere else, so if there is a counter attack, the target of that is the secondary victim, not the initiator.

The military approach has significant problems when you know what your attackers are all sociopaths who have nothing to lose. However, the current legal system makes it impossible for the victim to do anything useful. If someone is conducting a DoS against a commercial web site, getting injunctions issued against bots a few months later is just another DoS against the victim’s resources, while having no impact at all on lost revenue.

HolyMoly April 5, 2007 11:52 AM

No offense but your article is weird, especially the attacks on computers hosting copyrighted material. Should Viacom DDoS YouTube by hiring botnet masters on a weekly basis in this case since YouTube is “attacking” them?

Chris E April 5, 2007 12:20 PM

David: I would say your analysis is correct; while he comments on drug raids and stings, those usually follow strict guidelines on what the police can and can’t do. After the offensive operation as well, there is judicial oversight. A better analogy for his idea would be to level a city block known to hide gang members that have killed police or innocents.

Dom De Vitto April 5, 2007 12:23 PM

Geee, I thought putting extra security measures into our colo sites was a drag.

Now you’re saying I need to move them into a nuke bunker.

What’s next, router busting missiles?

j April 5, 2007 12:24 PM

Bruce: Pardon my off-topic post, but could you edit the comment with the extremely long URL?
In IE6 at least, the presence of that line is making the frame so wide that even full-screen
I need to scroll horizontally to see each line of most of the comments. Thanks.

anonymous April 5, 2007 12:32 PM

Wow! Imagine the opportunities for a malicious entity or a malicious government to create a false flag scenario if a large scale hack was sufficient to initiate a military action. Because, after all, the “apparent source” of a computer intrusion is always the actual source, ya know…

HmD April 5, 2007 12:35 PM

Chris:

I agree with your opinion of Richard Bejtlich’s post, and I think that it stems from the fact that he assumes that there is a cyberwar going on now, while Bruce doesn’t. Thus, what is legal and what isn’t is very different for one or the other.

So, are we or are we not in a cyberwar?

In my eyes, we are not.

Spider April 5, 2007 12:51 PM

@greg

It doesn’t work everywhere. Many eastern European, and South East Asian ISP’s won’t do anything. Which is where a lot of malware originates.

I’d like a standard protocol on how to deal with any given node that misbehaves.

The difficulty would lie in specifying what exactly was considered harmful or malicious content. The Thai government has banned youtube over a video of some one defacing a poster of their king. We wouldn’t want to give them the power to shutdown youtube for everyone.

Ed T. April 5, 2007 1:03 PM

“I’d like a standard protocol on how to deal with any given node that misbehaves.”

How about “shun (block | firewall) it”? Refuse any and all attempts to communicate that originate from the offending node/address space. OK, so you may catch some ‘botted machines in this type of situation, but you aren’t damaging them – you are simply preventing them from damaging you.

~EdT.

Ed T. April 5, 2007 1:06 PM

“I’d like a standard protocol on how to deal with any given node that misbehaves.”

How about “shun (block | firewall) it”? Refuse any and all attempts to communicate that originate from the offending node/address space. OK, so you may catch some ‘botted machines in this type of situation, but you aren’t damaging them – you are simply preventing them from damaging you.

~EdT.

averros April 5, 2007 1:31 PM

Does someone besides myself think that the whole notion of cyber-attacks on a bunch of camel-riding guys with AK-47s and buckets of explosives is, well, ridiculous?

Cyber-warfare works only against IT-saturated economies. And none of those is likely to become an enemy – they all are heavily dependent on trade with US.

The General is, well, selling snake oil. His statements are nothing more than solicitation for more funds to be expropriated from honestly working people.

Dr. S April 5, 2007 1:38 PM

Yes, but the… whole point of the doomsday machine… is lost… if you keep it a secret! Why didn’t you tell the world, eh?

FooDoo April 5, 2007 2:23 PM

I think the idea of “peace time” is false. The reality is that we are always at “war”, to some degree. There are hackers from the U.S. & other nations who want secrets, to achieve DoS, etc… Then you have organized crime, amateur criminals, script kiddies, blackhat hackers, white hat hackers… Anyway, idealism won’t solve the problem is my point. Have a good day all.

derf April 5, 2007 2:24 PM

The “police” are a nice notion of justice in a civilized country with a uniform code of conduct. The notion falls flat on its face when dealing with countries where laws are not only not uniform, but don’t even agree as to the definition of a cyber crime.

However, even this hasn’t deterred or even begun to stem the tide of spam or malware just in the US alone where we actually have this kind of justice system. The idea of “innocent until proven guilty” only works when you have the capability of catching the criminals and actually putting them on trial. I would submit that this isn’t the case in the USA today where cyber crimes are concerned, much less on the rest of Earth.

Where does this leave us? If we don’t have a justice system capable of stopping the criminals, to whom do we turn?

I don’t know that the military option will work either. It’s not like we can drop nuclear bombs on the physical location of suspected spammers, no matter how much the idea appeals to us.

However, IP address black lists like we have for spam might work if they were incorporated into internet routing. There would need to be some stringent oversight, a precise definition of what is and isn’t allowed, and an obvious and easy way for a “reformed” system to regain access.

Derp April 5, 2007 2:28 PM

The strategic objective of this Conference is to enable U.S. government managers and executives to better understand the nature, character and threat of suicide terrorism as it relates to the protection of employees and U.S. citizens. The overall goal is preparedness and readiness of Federal agencies in the face of this growing threat.

The Conference will draw on the expertise of select U.S. Government personnel and academics as well as non-US government scholars and specialists on suicide terrorism, suicide bombings and on improvised explosive devices (IEDs) to create an interactive and deliberative environment for federal managers to discuss the underpinnings and mitigation of suicide terrorism and IEDs. This conference sets the foundation for preparedness by:

University of San Diego, San Diego, CA

U.S. Office of Personnel Management 1900 E Street NW, Washington, DC 20415 | (202) 606-1800 | TTY (202) 606-2532
5 days. $1,000.00
Includes tuition, materials, lunch, break service

You would have to pay me 2 G’s to sit through a week of this stuff. You can’t torture people on the internet.

Bruce Schneier April 5, 2007 2:40 PM

“My conclusion would be: fortify your defenses and spend those resources on hardening your system, instead of chasing after ethereal enemies.”

Agreed.

Bruce Schneier April 5, 2007 2:42 PM

“I agree with your opinion of Richard Bejtlich’s post, and I think that it stems from the fact that he assumes that there is a cyberwar going on now, while Bruce doesn’t. Thus, what is legal and what isn’t is very different for one or the other.”

Anyone who thinks we’re fighting a cyberwar simply doesn’t know what war actually is.

Rhetorical wars — war on drugs, war on terror, war on — are not real wars. They’re figures of speech.

Francois April 5, 2007 2:57 PM

In the current US social and political climate, there is little differentiation between acts of crime, acts of terrorism and acts of war. There should be – but there isn’t. Political rhetoric has been taken to a new level.

Curiosity April 5, 2007 4:05 PM

I was intrigued by this bit of the article.

“Stratcom is also concerned with attacks against space-based communications and navigation systems, such as the Global Positioning System, Cartwright said at the committee hearing. Intentional interference with space-based intelligence, navigation and communications satellites, while not routine, now occurs with some regularity”

I have wondered in the past just how secure satellite services and control systems are against knowledgeable attackers. Can anybody comment on this?

P.S. my web browser insists on rendering this page in a ridiculously wide page setting. Any chance of somebody checking the server Bruce?

the other Greg April 5, 2007 10:06 PM

“Negotiating and legislating hasn’t worked.”

The latter especially has been intended not to work. The corporations who pay lobbyists don’t want no spammers. They want no other spammers.

yes-we-need-it April 6, 2007 2:23 PM

@HmD

“So, are we or are we not in a cyberwar?
In my eyes, we are not.”

Depends on what comes across your desk. Presumably, Richard Bejtlich has a better view of this since his business is network monitoring.

In any case, all infrastructures need both deffensive and offensive capabilities. We (US military) better have them – that is what we pay them for.

Bruce Schneier April 6, 2007 4:27 PM

“Presumably, Richard Bejtlich has a better view of this since his business is network monitoring.”

My business is network security monitoring, which should be worth something.

Matt from CT April 6, 2007 6:03 PM

Is the real value in attacking and disabling an enemy infrastructure?

I’d think real cyberwar would involve removing trust from a functional system.

i.e. with Al Queda, let them communicate. And intercept and redirect some clients so they see a different message — make people question which one is the real message (I guess more along the lines of Pyschological operations). Develop the skills to take messages and change entire sentences or paragraphs; redirect the message a little bit, or make people think the mullah is saying something else, or he’s an idiot…that type of head game playing.

He who controls the routers can have all sorts of fun…

Of course, in a situation like AQ, you could also play mind games — if you managed to determine if there were being orders sent over the network and could falsely initiate operations before time so they occured without coordination. Something like, “Ok, we know the target is X, we know the trigger word is Y, let’s see who we can flush out of the woodwork and meet at X”

PennGwyn May 1, 2007 4:01 PM

One radical analysis suggests that there would never have been any need to create a Department of Homeland Security if the Department of Defense had ever seriously considered it their job to defend.

Yes, we need generals who understand how to think about offensive operations, in order to understand the threats we face. What we’ve never needed was doubletalk about how, by focussing almost exclusively on offensive capability, they’re somehow providing us with some mystic-voodoo trickle-down defense that’s even better than the real thing.

Since I originally wrote that, I’ve been thinking that “The best defense is a good offense” is a THEORY, here being propounded as if it were an established fact. In the rather specialized case of MAD (Mutually Assured Destruction), it’s probably even true. But can we safely generalize that it is some sort of Law of the Universe?

A good offense WINS wars. A good defense — even if it also happens to be a good offense! — discourages and even PREVENTS wars. And that means that it is far easier to enumerate cases where a defense wasn’t good enough than to measure when one has been adequate or better than another.

Spy Guy April 25, 2008 9:17 PM

I have been reading all I can about cyber attacks and warfare. The former Chief Strategist of Netscape – Kevin Coleman – has warned that we are at great risk in business, government and industry. Why is it we never listen to the experts before it is too late?

please-buy-discs-dept. July 7, 2008 9:31 AM

This is weird.
“Google-owned YouTube was ordered to turn over to Viacom the login names and computer addresses of Internet users that frequent the popular video-sharing site.”

Google has no control over users. This is like Napster all over again. Digital video reduces the amount of plastics needed. Plastic is made from oil, so YouTube reduces oil demand. I’m for any solution that reduces oil demand.
YouTube is good for the country.

zap-a-disc-dept. July 7, 2008 9:42 AM

“A US company is taking plastics recycling to another level – turning them back into the oil they were made from, and gas.

All that is needed, claims Global Resource Corporation (GRC), is a finely tuned microwave and – hey presto! – a mix of materials that were made from oil can be reduced back to oil and combustible gas (and a few leftovers).

Key to GRC’s process is a machine that uses 1200 different frequencies within the microwave range, which act on specific hydrocarbon materials. As the material is zapped at the appropriate wavelength, part of the hydrocarbons that make up the plastic and rubber in the material are broken down into diesel oil and combustible gas.”
http://environment.newscientist.com/article/dn12141

Old media powering new media. Google can run servers on old DVD’s.

Richard Bejtlich May 2, 2010 7:31 PM

“Anyone who thinks we’re fighting a cyberwar simply doesn’t know what war actually is.”

Were you in the military Bruce? I was.

“My business is network security monitoring, which should be worth something.”

Me too — I wrote the book on it. 🙂

CyberTAU September 2, 2010 9:04 AM

I’m just wondering if we’re going to still be having this conversation when the power grid is out, martial law is invoked, and we have mass chaos because we decided it was best to wait on “legal” approval of action first instead of invoking the right to self defense. By the time an attack of magnitude gets through the legal system and a decision is made that we can actually take action, our legal system won’t exist anymore when the grid is out, the financial sector is paralyzed, food distribution is disrupted, and there’s no law and order. We need standing rules of engagement for hostile actions. We already have many of them from a defensive perspective. We need to adopt acceptable attack options, ensure there’s some human decision making first before any automated tool is deployed, and conduct the offensive operation with continuous feedback to ensure the intended effects are achieved. I don’t think anyone is advocating some kill switch that once pushed, sends nuclear IP packets to a server and destroys half of the Internet, then sends you a link to a web-based report that tells you how well you did. But we need coherent attack options rather than cling to the castle mentality that demands we build a moat, pull up the drawbridge, and hope the attackers never develop a capability to breach the wall.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.