CircleID

As a follow up to Susan Brenner's Networks and Nationalization and my comment there, I will go further in this post and talk about the "cyberwar" and "offense" aspects of her article.

I think I made this point elsewhere as well… but before getting into a war, it'd be a brilliant idea to actually know that you can win.

Cyberwarfare is the sort of game where you don't really need to be a huge government with the largest standing army in the world and sophisticated weaponry in order to win. Any teenager in his basement can control a botnet. And a botnet targeted at a poorly secured site will take it down, never mind whether the site belongs to the US government, or to the Iranians, or the Chinese, the Russians, Indians, etc. etc.

In other words probably the best way to go in a so-called "cyberwar" is defense. Harden your security. And make efforts to take down the sources of the DDoS or other attack as a way to mitigate it.

Not by breaking into it — that's not a good idea — it will very likely end up affecting an innocent party, and you might not even have taken out the actual source — given that a lot of botnet C&Cs are usually compromised hosts, controlled by a chain of proxies from god knows where else (connecting those dots is quite tough, when a botnet is done right).

Rather, by actually using the public private partnership you have, internationally, to work with upstream providers of the source to mitigate these attacks, work with the providers of your critical infrastructure's connectivity to filter attack sources etc. etc.

A textbook case of "how not to do this" — during the recent North Korea (!) DDOS: A vietnamese antivirus / security vendor, BKIS and their analysis said the command and control servers were in the UK — again, quite possibly compromised hosts were used for the C&C.

That turned into a "The UK, not North Korea, is behind this cyberattack" in the media. Which doesn't sound quite right to me.

Another interesting development in that case — it appears as if the (south) Korean CERT's emails to the APCERT community got released to a vietnamese newspaper by BKIS.

And then the CEO of BKIS says they've not done wrong by breaking into the UK based command and control servers for those bots, quoting a vietnamese law that says "agencies are entitled to take action on a cyberattack first and report it to the concerned agency afterwards". The concerned agency here would be the vietnamese CERT, I expect.

While that law is ambiguously worded, it is typically against the law, in most countries, such as the UK, to gain unauthorized access to a computer over the Internet. And long arm / extraterritorial enforcement of law is something that works according to certain fairly well defined rules and procedures . . . and besides that's something a government agency would do, dealing with its counterpart in the other country to rely on enforcement.

Not to mention that this law is being quoted to justify extra territorial action by what appears to be an antivirus vendor — a private industry — rather than a government agency. Which makes the situation even stranger.

These considerations all have to be kept in mind before any response to a cyberwar, or even a run of the mill DDoS attack, can be mitigated. In fact, given that the Estonia incident was quoted, the mitigation there was entirely private action. There was a RIPE meeting ongoing in Tallinn, and the people attending it were most of the network administrators that'd have to work together to mitigate the incoming attacks.

There's an interesting presentation from Hillar Aarelaid of the Estonian CERT, at a RIPE meeting, and an audiocast as well (at 38 minutes, in the mp3 below):

mp3 talk from Hillar Aarelaid,
http://www.ripe.net/ripe/meetings/ripe-54/presentations/friday.html
http://www.ripe.net/ripe/meetings/ripe-54/podcasts/plenary-10.mp3 (mp3)

That was actually a textbook case of public private coordination, in real time, for mitigation of a cyberattack.

I don't see how or where nationalization of a country's networks is going to help at all. In fact the inevitably slower action that'd occur when there's a government agency in charge of the nation's networks would hinder rather than help efforts.

By Suresh Ramasubramanian, Architect, Antispam and Compliance

Related topics: Cyberattack, Internet Governance, Policy & Regulation, Security, Telecom