Homeland Security Watch

News and analysis of critical issues in homeland security

May 28, 2012

The Cyber-Tootsie Roll Effect (Or Please Stop Calling Every Cyber Something An Attack)

Filed under: General Homeland Security — by Arnold Bogis on May 28, 2012

Imagine for a moment that you got your wallet stolen.

It could be from your back pocket in a crowd or your bag hanging on a chair in a busy restaurant.

Now, if the police caught the individual responsible, would they be charged with assault? Almost certainly not (assuming that you did not notice the initial theft because it was surreptitious).  You (or the victim) would most likely feel assaulted, offended and distraught about the invasion of privacy and security.  Yet the authorities would not consider your “feelings,” instead moving forward to deal with the specifics of the situation as they pertain to existing law.

Seems reasonable.  Right?  A pick pocket, if caught, shouldn’t be charged with assault.

Moving over to the cyber realm, is it me or is every possible type of incident beginning to be described as a “cyber attack!” And if you label every problem a nail, then a hammer is always the answer.

A few weeks ago Paul Rosenzweig of the blog Lawfare shared a list of ““Significant Cyber Attacks” on Federal systems since 2004” that he states is from sources on Capitol Hill.  I do not know Mr. Rosenzweig but he seems to be a sophisticated observer and analyst of cyber-related topics, so I am not claiming that everywhere he looks, everything he sees looks like a cyber attack to him.  That this list originated in some Congressional office is the disturbing part.  Just a few examples of incidents included in this list of “attacks” (the full list can be found the Lawfare blog post):

We have theft, we have espionage, and we have negligence. Could some of these turn out to reveal vulnerabilities leading to extortion or attacks at a later date?  Certainly.  Do these and other similar examples from the full list represent potential risks to our national security?  Perhaps.  But do they represent attacks?  No.

To be sure, there are attacks included on the list.  As well as cases of espionage that are frightening.  But you don’t guard against pick pockets in the same manner as you do muggers or attackers wishing to inflict bodily harm.

When you do in the cyber realm, you may end up in a “go time” mode similar to Security Debrief’s L. Vance Taylor:

These attacks aren’t coming because of any real or perceived lack of cyber security protocols in the private sector. The attacks are coming because we allow countries like China to use cyber space to lie to us, steal from us, cheat us and even physically harm us without consequences or repercussions. It has to end.

If Congress wants to do something productive to address cyber security, it should work (along with the Administration) to establish deterrents that will make countries like China think twice before taking our lunch. Two such deterrents could include:

  1. Banning businesses that are headquartered in countries that hack into our CIKR networks from competing on projects in the U.S. sectors where American networks have been compromised or attacked.
  2. Instituting economic sanctions (equaling up to 10 times the costs of the financial implications of a given cyber attack) on any foreign country attacking America or her industries.

In short, Congress should stop legislating the private sector as a means to giving the nation the illusion that it’s doing something about cyber security. Instead, it should do something to prevent future attacks and actually bring perpetrating countries to justice.

Mr. Taylor was describing his theory of response to attacks such as the recent targeting of the natural gas industry. Yet in seeing a tootsie roll, uh, I mean cyber attack originating in China (or Russia or any other country not counted as “allies”) in every event he suggests a tough sounding stance of deterrence that doesn’t take into account reality.

  1. Not every cyber incident is an attack.
  2. Not every cyber incident, even those that are attacks, can be accurately attributed.  We may suspect an attack came from Chinese computers, but can’t prove it.  Or perhaps we think it’s Russian hackers, but actually a group in Indonesia routed the attack through Russia.
  3. Not every cyber incident comes from a state of concern.  China and Russia are often singled out, and Iran has gotten attention in recent weeks, yet there are hackers in almost every country.  What if per #2 U.S. hackers attempt to shut down a piece of critical infrastructure but make it appear to be an attack from China?  And it is also an uncomfortable truth that allies spy on each other–the French have long been suspected of state-sponsored industrial espionage and does anyone remember Jonathan Pollard?
  4. What if other states adopt similar cyber policies?  Should U.S.-based hackers be discovered attempting to infiltrate an Indian government agency’s networks, what should the Indians do in response?  What if confidential industrial information was stolen, should they sanction U.S. companies through whose networks the attack took place without their knowledge?

It is also a fact that not only do hackers live in the United States, but our government is suspected of producing cyber weapons and maybe even (shhhhhh…..) undertaking a little cyber espionage:

Researchers have identified a sophisticated new computer virus 20 times the size of Stuxnet, the malicious software that disabled centrifuges in an Iranian nuclear plant. But unlike Stuxnet, the new malware appears to be used solely for espionage.

Variously dubbed Flame, Skywiper and Flamer, the new virus is the largest and possibly most complex piece of malware ever discovered, which suggests it is state-sponsored, researchers said.

As with Stuxnet, the creator of Flame remains a mystery, though some analysts say they suspect Israel and the United States, given the virus’s sophistication, among other things.

Some researchers say that certain characteristics common to Stuxnet and Flame suggest that whoever ordered up Stuxnet is also behind Flame.

The cyber realm is complicated.  There exist no simple answers to complex issues.  Unfortunately this world is not full of tootsie rolls, but instead reads like a John Le Carre novel.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print

3 Comments »

Comment by William R. Cumming

May 29, 2012 @ 7:12 am

Well for a start you could only allow persons with full background investigations with favorable review before they can own personal computers. Or you could just sue for constructive fraud any software manufacturer that is revealed to have security breaches in their systems.

Did you know there is a very serious movement to push the UN as the World’s cyber czar? And who is the cyber czar promised by the President? What is his or her’s immediate budget and authority? Last I checked computer security is an OMB function under Directive A-130 and is access control for sensitive systems. How much is spent by each federal organization on so-called cyber security? Budgets and staff? Legal authorities?

Perhaps someone can answer these questions but since I cannot hoping so. If none then perhaps we have another JFK missile gap used to win the 1960 election [revealed after the fact to be non-existent].

Comment by Michael Brady

May 29, 2012 @ 9:21 am

Well said Mr Bogis,

Many of these incidents are more accurately described as exploits, a term that gives the defender’s obligation to understand the program’s vulnerabilities and to apply the correct preventatives proper due.

In addition to the lobbying and marketing efforts of the military industrial permanent emergency complex, the concept of cyber-war may arise from a reliance on medieval military metaphors when describing logical security. Moats, gates, walls, keeps, and sally ports once described physical structures that were reduced through violence. To lay siege to your opponent’s castle or breach his defenses were acts of war that could be met with deadly force.

Cyber-espionage (and probably cyber-crime) is better described using terms of deception, spy-craft, or contagion, but the war-fighters much prefer kinetic expressions to public health models.

How about we agree not use the term cyber-war unless stuff is being wrecked or people are being killed using computers, and when the defender’s response options include JDAMs or the violent ministrations of special operators?

Comment by William R. Cumming

May 29, 2012 @ 4:53 pm

Notice the Dragons never seemed to hurt the captured beautiful Princesses the knights had to rescue?

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>