Re: Nato warns of strike against cyber attackers

[Steven Bellovin <smb () cs columbia edu>]

On Jun 8, 2010, at 5:15 13PM, Brielle Bruns wrote:

> On 6/8/10 3:08 PM, Peter Boone wrote:
> > So let's say a cyber-attack originates from Chinese script kiddie.
> >
> > Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark,
> > Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia,
> > Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania,
> > Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States
> > will all respond by invading China? Is NATO trying to start a war here?
> >
> > There's no mention in the article about any kind of electronic response to
> > the attack.
>
>
> Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open 
> proxy, relay, etc in China.  Its not like an IP is guaranteed to be directly controlled by someone in that country.
>
> So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU 
> without much effort.
>
> Note i'm just using Russia and China in examples here, no specific reason that it could only be them.
>
> If I didn't know any better, I'd say they let Bush write their policies.

Packets of mass destruction?

The issue of attribution -- and the extreme difficulty of doing it in the online world -- is *very* well understood in 
Washington, even at the policy-maker level.  I'm currently a member of a National Academies study committee on 
"cyberdeterrence" (http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); we've discussed that point ad 
nauseum.  Consider this text from p. 9 of our letter report:

        "for many kinds of cyberattack the United States would almost certainly not be able to ascertain the source of 
such an attack, even if it were a national act, let alone hold a specific nation responsible. For example, the United 
States is constantly under cyberattack today, and it is widely believed (though without conclusive proof) that most of 
these cyberattacks are not the result of national decisions by an adversary state, though press reports have claimed 
that some are. In general, prompt technical attribution of an attack or exploitation—that is, identification of the 
responsible party (individual? subnational group? nation-state?) based only on technical indicators associated with the 
event in question—is quite problematic, and any party accused of launching a given cyberintrusion could deny it with 
considerable plausibility. Forensic investigation might yield the identity of the responsible party, but the time scale 
for such investigation is often on the order of weeks or months. (Although it is often quite straightforward to trace 
an intrusion to the proximate node, in general, this will not be the origination point of the intrusion. Tracing an 
intrusion to its actual origination point past intermediate nodes is what is most difficult.)"

But read the next paragraph, which discusses other ways to figure out who did it.

We can hope that no one in Washington (or Beijing or Moscow or the capital of Elbonia) is stupid enough to rely on IP 
addresses of the actual attacking machines as a definitive indicator.  Given how widely understood that is, it's not 
even on my list of things to worry about.  The question that report is tackling is this:  *if* there is a serious 
online attack on critical infrastructure -- say, turning off some generators with extreme prejudice 
(http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and *if* you know who did it, is a "kinetic" response 
on the table?  This has nothing to do with the botnet du jour, nor with Sen. Lieberman marching in to your NOC with a 
subpoena for your "enable" passwords.  And while people in Washington (or Beijing or Moscow or the capital of Elbonia) 
can be quite stupid, they're (usually) not quite as stupid as as all that.  And yes, serious mistakes can be made.  One 
more quote from the report (p. 8):

        "History shows that when human beings with little hard information are placed into unfamiliar situations in a 
general environment of tension, they often substitute supposition for knowledge. In the words of a former senior 
administration official responsible for protecting U.S. critical infrastructure, 'I have seen too many situations where 
government officials claimed a high degree of confidence as to the source, intent, and scope of a [cyber]attack, and it 
turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.'"



                --Steve Bellovin, http://www.cs.columbia.edu/~smb