title:

The good cyberattack

By Scott Bradner

Two weeks ago I talked about methods by which law enforcement could cyber-target individual miscreants. (http://www.networkworld.com/columnists/2009/042309bradner.html) Since then the National Research Council (NRC) of the National Academies of Science published a report on a whole different scale of cyber targeting. The new report deals with the policy issues of the US mounting cyber attacks on groups of cyber terrorists or on countries.

As is generally the case with NRC reports, this report titled "Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities," is very well balanced. It is the product of a 14-person committee, including people of rather diverse backgrounds and interests. The statement of the committee's task starts "The National Research Council will appoint an ad hoc committee to examine policy dimensions and legal/ethical implications of offensive information warfare." This report, which is readable, though very laboriously, on the web - http://www.nap.edu/catalog.php?record_id=12651 - does not provide a roadmap on how to conduct cyber warfare, instead it examines the "many questions and issues" associated with the officially sanctioned use of cyberattacks.

The report presents 22 findings and makes 12 specific recommendations. (they can be found in the summary http://www.nap.edu/nap-cgi/report.cgi?record_id=12651&type=pdfxsum) The findings include the obvious - that "private parties have few useful alternatives for responding to a severe cyber attack" - to the hidden - "both the decision-making apparatus for cyber attack and the oversight mechanisms for that apparatus are inadequate today." The recommendations are not all ones that most governments would much like since they address the need to "conduct a broad, unclassified national debate and discussion on cyberattack policy," and that policymakers "should apply the moral and ethical principles underlying the law of armed conflict to cyberattack." Talking about military techniques and strategies in public is just not done.

On the defensive side some discussion seems to be happening. The National Journal magazine is reporting that US is developing a Defense Industrial Base initiative in which the government tries to help companies better protect their, and sometimes government, information - such as the plans for the Joint Strike Fighter. (http://www.nationaljournal.com/njmagazine/id_20090502_5834.php)

One of the problems with cyberatacks is that there is little government specific about them. A handful of hackers can put together as powerful a attack using a botnet as a government with all its might and money can. That is, unless the government has the cooperation of a major software company (see Purina Paranoid Chow? - http://www.sobco.com/nww/2002/bradner-2002-11-11.html) or, as I talked about two weeks ago, anti-virus companies.

Barring such arrangements, which clearly not all governments could have, the folks making money off spam (see "Spamalytics: An Empirical Analysis of Spam Marketing Conversion - http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf) have reason to hack into your and my computers and turn them into zombies to do their bidding. Any government managed cyberattack system would have to have some of the same characteristics of the spammers approach - at least the hacking and subverting parts. Of course, attacks could not just come from a few machines since they could be easily blocked, so a government-blessed attack could look a whole lot like one from a bad guy. The dialogue that the NRC report calls for will need to explain how they are different.

disclaimer: Students at a number of Harvard schools are taught to try to differentiate between actions that may look the same but are not, including the business and law school as well as the medical school - but, as far as I know, none of them have provided an opinion on a description of a good cyberattack.