Home / Blogs

Military Asserts Rights to Return Cyber Attacks

Terry Zink

The Washington Post had a good article up yesterday capturing comments issued by the United States military that it has the right to return fire when it comes to cyber attacks:

WASHINGTON — The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress. Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

...

It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations. In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known.

Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.

This is an interesting point of view, and it extends from the United States's policy that if it is attacked using conventional weapons, it reserves the right to counter respond in kind. This has been a long accept precept governing US foreign military policy for generations. Yet cyber attacks are different for a couple of reasons:

  1. In cyber attacks, it is not physical infrastructure that is being attacked, and civilians lives are not directly threatened. It's a cat-and-mouse game and the response to a cyber attack is hard to respond to in like kind. In other words, how do you know how much damage that you want to do?
  2. The bolded part above, the second part, is convoluted. It is true that a police officer doesn't have to know the identity of a shooter in order to shoot back. However, a police officer certainly knows who is shooting at him (or her) because they can see the direction from which the bullets are coming towards them. In other words, there is a line of sight. They don't know the name of the shooter but they can definitely see them shooting.

    In cyberspace, you may not even know who is attacking you. You might see the attacker but it doesn't mean that the one doing the attacking is the one behind the attack. For example, in a DOS attack, networks of compromised computers would be attacking your infrastructure but the one behind the attack is not directly connecting to your network. Who do you counter attack? Do you do it in real time? There's no point attacking the zombie computers because they don't even know that they're doing it. The analogous to law enforcement is a thriller/horror movie — some bad guy is able to take control of unsuspecting citizens and get them to commit crimes. The police would know the shooter but they'd be returning fire at the "wrong" person.

Continuing onwards in the article:

Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."

Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.

This is a more realistic view, in my opinion. Probably the best step is knowing where your vulnerabilities are and trying to defend them. As some famous coach said, "Offense brings fans, but defense wins championships." In other words, you can go on the offensive but weakness in your own systems can severely degrade and impair your ability launch an attack. If your internal systems are going haywire you can be totally disarmed and unable to launch a counterstrike.

Of course, once you do have your defensive ability up to snuff, or good enough, you will need a good offensive counterpunch. In boxing, if all you are doing is defending, eventually your attacker will wear you out as you absorb blow after blow (the exception being Homer Simpson where his opponents would hit him and tire themselves out and all he would have to do is push them over without throwing a single punch… the exception to that being Drederick Tatum). The rules of engagement for offensive counter strikes are more tricky. Does the US, after identifying a non-state actor attacking it, go after the actor themselves? Or do they pressure the government where the non-state actor is located to handle them? Or do they launch an attack on the government if they consider their enforcement lackadaisical? Or perhaps even intentionally sheltering cyber attackers?

I suppose that for this, the standard military rules of engagement apply.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cyberattack, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Hi Terry - yes, drawing analogies to shootouts with armed perps may be a bit far out Suresh Ramasubramanian  –  Apr 17, 2010 6:24 AM PDT

But when you have viruses being fully capable of taking down critical infrastructure installations that are connected to the computer network, undermining your financial system, taking out communications etc etc .. well, taking out a C&C;host or a few domains might actually make sense if you're able to do it.

Doesnt mean say - "if country X takes out our banks we'll take out theirs", a lot more nuanced.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Sponsored Topics