[126891] in North American Network Operators' Group
Re: Nato warns of strike against cyber attackers
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Tue Jun 8 17:37:51 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4C0EB2E1.4080501@2mbit.com>
Date: Tue, 8 Jun 2010 17:37:02 -0400
To: Brielle Bruns <bruns@2mbit.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2010, at 5:15 13PM, Brielle Bruns wrote:
> On 6/8/10 3:08 PM, Peter Boone wrote:
>> So let's say a cyber-attack originates from Chinese script kiddie.
>>=20
>> Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark,
>> Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia,
>> Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, =
Romania,
>> Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United =
States
>> will all respond by invading China? Is NATO trying to start a war =
here?
>>=20
>> There's no mention in the article about any kind of electronic =
response to
>> the attack.
>>=20
>=20
>=20
> Of course, their reasoning seems to be that theres no possible way an =
attack could be from Russia, but using a open proxy, relay, etc in =
China. Its not like an IP is guaranteed to be directly controlled by =
someone in that country.
>=20
> So, we end up invading China, and while all of our troops are there, =
Russia comes in and takes over the US or the EU without much effort.
>=20
> Note i'm just using Russia and China in examples here, no specific =
reason that it could only be them.
>=20
> If I didn't know any better, I'd say they let Bush write their =
policies.
Packets of mass destruction?
The issue of attribution -- and the extreme difficulty of doing it in =
the online world -- is *very* well understood in Washington, even at the =
policy-maker level. I'm currently a member of a National Academies =
study committee on "cyberdeterrence" =
(http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); =
we've discussed that point ad nauseum. Consider this text from p. 9 of =
our letter report:
"for many kinds of cyberattack the United States would almost =
certainly not be able to ascertain the source of such an attack, even if =
it were a national act, let alone hold a specific nation responsible. =
For example, the United States is constantly under cyberattack today, =
and it is widely believed (though without conclusive proof) that most of =
these cyberattacks are not the result of national decisions by an =
adversary state, though press reports have claimed that some are. In =
general, prompt technical attribution of an attack or exploitation=97that =
is, identification of the responsible party (individual? subnational =
group? nation-state?) based only on technical indicators associated with =
the event in question=97is quite problematic, and any party accused of =
launching a given cyberintrusion could deny it with considerable =
plausibility. Forensic investigation might yield the identity of the =
responsible party, but the time scale for such investigation is often on =
the order of weeks or months. (Although it is often quite =
straightforward to trace an intrusion to the proximate node, in general, =
this will not be the origination point of the intrusion. Tracing an =
intrusion to its actual origination point past intermediate nodes is =
what is most difficult.)"
But read the next paragraph, which discusses other ways to figure out =
who did it.
We can hope that no one in Washington (or Beijing or Moscow or the =
capital of Elbonia) is stupid enough to rely on IP addresses of the =
actual attacking machines as a definitive indicator. Given how widely =
understood that is, it's not even on my list of things to worry about. =
The question that report is tackling is this: *if* there is a serious =
online attack on critical infrastructure -- say, turning off some =
generators with extreme prejudice =
(http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and =
*if* you know who did it, is a "kinetic" response on the table? This =
has nothing to do with the botnet du jour, nor with Sen. Lieberman =
marching in to your NOC with a subpoena for your "enable" passwords. =
And while people in Washington (or Beijing or Moscow or the capital of =
Elbonia) can be quite stupid, they're (usually) not quite as stupid as =
as all that. And yes, serious mistakes can be made. One more quote =
from the report (p. 8):
"History shows that when human beings with little hard =
information are placed into unfamiliar situations in a general =
environment of tension, they often substitute supposition for knowledge. =
In the words of a former senior administration official responsible for =
protecting U.S. critical infrastructure, 'I have seen too many =
situations where government officials claimed a high degree of =
confidence as to the source, intent, and scope of a [cyber]attack, and =
it turned out they were wrong on every aspect of it. That is, they were =
often wrong, but never in doubt.'"
--Steve Bellovin, http://www.cs.columbia.edu/~smb
