On Jun 8, 2010, at 5:15 13PM, Brielle Bruns wrote: > On 6/8/10 3:08 PM, Peter Boone wrote: >> So let's say a cyber-attack originates from Chinese script kiddie. >> >> Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, >> Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, >> Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, >> Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States >> will all respond by invading China? Is NATO trying to start a war here? >> >> There's no mention in the article about any kind of electronic response to >> the attack. >> > > > Of course, their reasoning seems to be that theres no possible way an attack > could be from Russia, but using a open proxy, relay, etc in China. Its not > like an IP is guaranteed to be directly controlled by someone in that country. > > So, we end up invading China, and while all of our troops are there, Russia > comes in and takes over the US or the EU without much effort. > > Note i'm just using Russia and China in examples here, no specific reason > that it could only be them. > > If I didn't know any better, I'd say they let Bush write their policies.
Packets of mass destruction? The issue of attribution -- and the extreme difficulty of doing it in the online world -- is *very* well understood in Washington, even at the policy-maker level. I'm currently a member of a National Academies study committee on "cyberdeterrence" (http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); we've discussed that point ad nauseum. Consider this text from p. 9 of our letter report: "for many kinds of cyberattack the United States would almost certainly not be able to ascertain the source of such an attack, even if it were a national act, let alone hold a specific nation responsible. For example, the United States is constantly under cyberattack today, and it is widely believed (though without conclusive proof) that most of these cyberattacks are not the result of national decisions by an adversary state, though press reports have claimed that some are. In general, prompt technical attribution of an attack or exploitation—that is, identification of the responsible party (individual? subnational group? nation-state?) based only on technical indicators associated with the event in question—is quite problematic, and any party accused of launching a given cyberintrusion could deny it with considerable plausibility. Forensic investigation might yield the identity of the responsible party, but the time scale for such investigation is often on the order of weeks or months. (Although it is often quite straightforward to trace an intrusion to the proximate node, in general, this will not be the origination point of the intrusion. Tracing an intrusion to its actual origination point past intermediate nodes is what is most difficult.)" But read the next paragraph, which discusses other ways to figure out who did it. We can hope that no one in Washington (or Beijing or Moscow or the capital of Elbonia) is stupid enough to rely on IP addresses of the actual attacking machines as a definitive indicator. Given how widely understood that is, it's not even on my list of things to worry about. The question that report is tackling is this: *if* there is a serious online attack on critical infrastructure -- say, turning off some generators with extreme prejudice (http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and *if* you know who did it, is a "kinetic" response on the table? This has nothing to do with the botnet du jour, nor with Sen. Lieberman marching in to your NOC with a subpoena for your "enable" passwords. And while people in Washington (or Beijing or Moscow or the capital of Elbonia) can be quite stupid, they're (usually) not quite as stupid as as all that. And yes, serious mistakes can be made. One more quote from the report (p. 8): "History shows that when human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they often substitute supposition for knowledge. In the words of a former senior administration official responsible for protecting U.S. critical infrastructure, 'I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of a [cyber]attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.'" --Steve Bellovin, http://www.cs.columbia.edu/~smb