Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Confit |
| Detecting Being Watched »
April 5, 2010
"Protecting Europe Against Large-Scale Cyber-Attacks"
Report from the House of Lords in the UK (pdf version).
Posted on April 5, 2010 at 8:31 AM
• 7 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hint no need to read any government report - just look at the list of people invited to give evidence and you can guess whether the conclusion will be:
More research needed / big contracts to security consultants / more laws to restrict internet use.
"The Communication is concerned only
with three types of attack:
• an attack that is aimed at the network itself, or at some specific piece of critical information infrastructure (such as the power grid), and which
hence impacts on almost all users;
• an attack that uses large-scale resources to attack a small number of sites,
e.g. DDoS attacks; or
• an attack (using any scale of resource) on a large number of sites, e.g. the
indiscriminate bulk sending of emails (spamming)."
Considering that none of their examples had anything like the first point (the power grid) I don't see how that is included.
And the 3rd point ... really? Spam?
DDoS is the only real "threat" and that is simple to deal with by not putting control systems on the Internet.
The subtitle "Report with Evidence" inclines me to at least read the TOC.
I skimmed some of it. One section of the document discussed the need for additional national CERTs in the EU, and that section contained one observation that resonated with me:
'Mr Cormack pointed out that still only about 25 per cent of European IP addresses had a CERT or an abuse team sitting somewhere above them. "There is therefore definitely a role for Government, European bodies, anyone, please, to try and help fill in those blanks on the map, the 75 per cent of IP addresses which, when I get an incident from them, I can do nothing about because I have no trusted contact"'
I suggest that you start by reading from page 164 in the PDF, the memorandum by XS4ALL Internet. That piece of feedback comes from a person with 20 years of IT-security experience. His answers says a lot about how the rapporteurs have got most things quite backwards.
I guess the politicians feel that they are not in control, but do not realize that the reason is due to their own ignorance. They simply need education, not a new police force or even a new military force. The report is yet another "sky-is-falling-report" with a bit of scare mongering. In a way it can be seen as an early preparation for an attack on the internet by itself. This question and its answer by XS4ALL Internet is quite telling and really sums it up:
Q: Are Government operated Computer Emergency Response Teams (CERTs) an appropriate mechanism for dealing with Internet incidents?
A: No, absolutely not. A Government operated CERT should focus on being the computer security response organisation for a given government’s IT infrastructure only. Their obligation is to their residents and citizens and the infrastructure the government itself provides and uses. Most governments are woefully unprepared for their own IT infrastructure and need considerable time to get “their own house in order”—at the end of the day they are merely one player in a large world of response teams—one voice in the CERT choir.
XS4ALL has some very good security folk.
I'd take their comments further to say "If you peer with someone, you are, by default, their CERT. Internet highways are private, not government roads. The connecting owners can, and should, 'close the road' if it's being abused, or face being 'cut off' themselves."
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.