Imagine for a moment that you got your wallet stolen.
It could be from your back pocket in a crowd or your bag hanging on a chair in a busy restaurant.
Now, if the police caught the individual responsible, would they be charged with assault? Almost certainly not (assuming that you did not notice the initial theft because it was surreptitious). You (or the victim) would most likely feel assaulted, offended and distraught about the invasion of privacy and security. Yet the authorities would not consider your “feelings,” instead moving forward to deal with the specifics of the situation as they pertain to existing law.
Seems reasonable. Right? A pick pocket, if caught, shouldn’t be charged with assault.
Moving over to the cyber realm, is it me or is every possible type of incident beginning to be described as a “cyber attack!” And if you label every problem a nail, then a hammer is always the answer.
A few weeks ago Paul Rosenzweig of the blog Lawfare shared a list of ““Significant Cyber Attacks” on Federal systems since 2004” that he states is from sources on Capitol Hill. I do not know Mr. Rosenzweig but he seems to be a sophisticated observer and analyst of cyber-related topics, so I am not claiming that everywhere he looks, everything he sees looks like a cyber attack to him. That this list originated in some Congressional office is the disturbing part. Just a few examples of incidents included in this list of “attacks” (the full list can be found the Lawfare blog post):
- USDA DC headquarters – June 2006 – The Department of Agriculture was subject to a cyber attack where the names, social security numbers, and photographs of 26,000 employees were stolen. http://www.msnbc.msn.com/id/31000126/ns/technology_and_science-security/t/cyber-attacks-continue-grow/
- Website breach – December 2009 – Department accidentally leaked Personally Identifiable Information and Social Security Numbers on website and didn’t notify employees for 7 weeks. http://www.washingtonpost.com/wp-dyn/content/article/2010/01/26/AR2010012603509.html?hpid=news-col-blog
- Commerce Secretary – December 2007 – Spying software was found on the devices of then Commerce Secretary following a trip to China with the Joint Commission on Commerce and Trade. http://www.nationaljournal.com/magazine/china-s-cyber-militia-20080531
- F-35 development – February 2012 – It was announced that delays and high costs for the development of fighter plane F-35 stemmed from responding to cyber attacks that stole classified information discussing the technology. http://defensetech.org/2012/02/06/did-chinese-espionage-lead-to-f-35-delays/
- Non-Classified IP Router Network – August 2006 – A senior Air Force Officer announced that, “China has downloaded 10 to 20 terabytes of data from the NIPRNet.” http://gcn.com/articles/2006/08/17/red-storm-rising.aspx
- August 2006 – Computers containing personal info of grant reviewers were stolen. http://www.idtheftcenter.org/artman2/uploads/1/ITRC_Breach_Report_20061231.pdf
- May 2010 – Lost CD contained info of 7,500 employees. http://fcw.com/articles/2010/06/16/interior-loses-cd-with-personal-data-for-7500-federal-employees.aspx
We have theft, we have espionage, and we have negligence. Could some of these turn out to reveal vulnerabilities leading to extortion or attacks at a later date? Certainly. Do these and other similar examples from the full list represent potential risks to our national security? Perhaps. But do they represent attacks? No.
To be sure, there are attacks included on the list. As well as cases of espionage that are frightening. But you don’t guard against pick pockets in the same manner as you do muggers or attackers wishing to inflict bodily harm.
When you do in the cyber realm, you may end up in a “go time” mode similar to Security Debrief’s L. Vance Taylor:
These attacks aren’t coming because of any real or perceived lack of cyber security protocols in the private sector. The attacks are coming because we allow countries like China to use cyber space to lie to us, steal from us, cheat us and even physically harm us without consequences or repercussions. It has to end.
If Congress wants to do something productive to address cyber security, it should work (along with the Administration) to establish deterrents that will make countries like China think twice before taking our lunch. Two such deterrents could include:
- Banning businesses that are headquartered in countries that hack into our CIKR networks from competing on projects in the U.S. sectors where American networks have been compromised or attacked.
- Instituting economic sanctions (equaling up to 10 times the costs of the financial implications of a given cyber attack) on any foreign country attacking America or her industries.
In short, Congress should stop legislating the private sector as a means to giving the nation the illusion that it’s doing something about cyber security. Instead, it should do something to prevent future attacks and actually bring perpetrating countries to justice.
Mr. Taylor was describing his theory of response to attacks such as the recent targeting of the natural gas industry. Yet in seeing a tootsie roll, uh, I mean cyber attack originating in China (or Russia or any other country not counted as “allies”) in every event he suggests a tough sounding stance of deterrence that doesn’t take into account reality.
- Not every cyber incident is an attack.
- Not every cyber incident, even those that are attacks, can be accurately attributed. We may suspect an attack came from Chinese computers, but can’t prove it. Or perhaps we think it’s Russian hackers, but actually a group in Indonesia routed the attack through Russia.
- Not every cyber incident comes from a state of concern. China and Russia are often singled out, and Iran has gotten attention in recent weeks, yet there are hackers in almost every country. What if per #2 U.S. hackers attempt to shut down a piece of critical infrastructure but make it appear to be an attack from China? And it is also an uncomfortable truth that allies spy on each other–the French have long been suspected of state-sponsored industrial espionage and does anyone remember Jonathan Pollard?
- What if other states adopt similar cyber policies? Should U.S.-based hackers be discovered attempting to infiltrate an Indian government agency’s networks, what should the Indians do in response? What if confidential industrial information was stolen, should they sanction U.S. companies through whose networks the attack took place without their knowledge?
It is also a fact that not only do hackers live in the United States, but our government is suspected of producing cyber weapons and maybe even (shhhhhh…..) undertaking a little cyber espionage:
Researchers have identified a sophisticated new computer virus 20 times the size of Stuxnet, the malicious software that disabled centrifuges in an Iranian nuclear plant. But unlike Stuxnet, the new malware appears to be used solely for espionage.
Variously dubbed Flame, Skywiper and Flamer, the new virus is the largest and possibly most complex piece of malware ever discovered, which suggests it is state-sponsored, researchers said.
As with Stuxnet, the creator of Flame remains a mystery, though some analysts say they suspect Israel and the United States, given the virus’s sophistication, among other things.
Some researchers say that certain characteristics common to Stuxnet and Flame suggest that whoever ordered up Stuxnet is also behind Flame.
The cyber realm is complicated. There exist no simple answers to complex issues. Unfortunately this world is not full of tootsie rolls, but instead reads like a John Le Carre novel.