CYBER-TERRORISM: WHEN WILL WE FIGHT BACK? By Michael S. Malone
When does a cyber-attack by another nation cross the line and become an official act of war?
I suspect that I wasn’t the only person who asked himself that question this week – and I hope that some of those people were at the highest levels of the federal government.
As I’m sure you read, or saw on the news, beginning on the fourth of July and continuing well into the week, government and private company websites in the United States and South Korea were attacked by unidentified hackers who try to crash them. Target institutions in the U.S. included the Departments of Transportation, State and Treasury, the White House (reportedly), the New York Stock Exchange, Yahoo and the Federal Trade Commission.
The type of attack was a so-called “distributed denial of service”, a classic hack that attempts to overwhelm targeted sites with massive amounts of data – and thus freezes out access by anyone else. In this case, the vehicle appears to have been a well-known software “worm” that was reprogrammed – and not particularly well, it seems – for the task. Still, for all of its crudeness, the attack did work; in the U.S. some sites were down for as much as 24 hours, in South Korea, some are still crashed.
Intelligence services in both countries have traced the attack to North Korea, but refuse to place the blame any more precisely. Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity Black Hole called the People’s Republic of North Korea spontaneously decided to hack the websites of another country’s government and largest corporations.
We all know why Washington (and to a lesser degree, Seoul) doesn’t want to point fingers. After all, once you fix blame for an act of aggression, you’re then supposed to do something about it. And, the reasoning goes, you don’t want to make Pyongyang angry because those guys are crrrrrraaaaazzzzzy. They could do anything, like maybe aim twice as many missiles at Hawaii next time, or put two freighters filled with weapons to sea.
So, instead, we resort to our usual response to these kinds of cyberattacks: we blame ourselves. And that’s why, right on schedule, the Feds, security experts, and bloggers all shook their heads in dismay and in unison decried the obvious failure of our security programs to protect our vital on-line information. Once again, we sat back, waited for another attack – and when it succeeded, at least partially, we wrung our hands and asked why we can’t defend ourselves better.
I think the real question we should be asking ourselves is: Why do continue to see defense as our only option? After all, if there is one thing every cop and security expert knows, it is that given enough time a burglar can break into any home, no matter how tightly locked, and a robber can crack any safe, no matter how elaborate. So, why have we convinced ourselves that our online property can remain safe behind an electronic Maginot Line, no matter how tall and thick?
Page 1 of 2 Next ->
Digg This
del.icio.us
PJM Home
Pajamas Media appreciates your comments that abide by the following guidelines:
1. Avoid profanities or foul language unless it is contained in a necessary quote or is relevant to the comment.
2. Stay on topic.
3. Disagree, but avoid ad hominem attacks.
4. Threats are treated seriously and reported to law enforcement.
5. Spam and advertising are not permitted in the comments area.
The clause regarding "hate speech" has been deleted because readers criticized it as being too loosely defined. We agreed.
These guidelines are very general and cannot cover every possible situation. Please don't assume that Pajamas Media management agrees with or otherwise endorses any particular comment. We reserve the right to filter or delete comments or to deny posting privileges entirely at our discretion. If you feel your comment was filtered inappropriately, please email us at story@pajamasmedia.com.
45 Comments
1. The Death of Journalism « Bottom Left Politics:[...] Edgelings.com » Cyber-Terrorism: When Will We Fight Back? [...]
Jul 10, 2009 - 3:23 am 2. Pajamas Media » Cyber-Terrorism: When Will We Fight Back:[...] the rest of the story here. (Also read “Kim Chi in the Intertubes” by Charlie [...]
Jul 10, 2009 - 10:40 am 3. Strawman:That’s all well and good, but TCP/IP has to go. It was never meant as a coatrack for the world’s economy. If the administration wants to engage in a worthy technological project, rather than jousting with carbon jinns, this is it.
Jul 10, 2009 - 10:47 am 4. Delia:“One of the most interesting bits of news to come out of the coverage of this cyber-attack was the fact that, according to the Department of Homeland Security, the rate of online security breaches on government and private institutions in this country is skyrocketing”
Yep. Just wait until the government puts all of our medical records ‘online’.
Remember when Palin’s email account got hacked by a Lefty’s son? Nothing really came of it.
Not cute.
Jul 10, 2009 - 10:53 am 5. Strawman:Marc, with all due respect, do you have the foggiest idea what you’re talking about? These embedded processors aren’t running windows, or any non-proprietary OS, and most aren’t running any OS at all. They’re not subject to hacking through viruses and traditional attacks. They’re not even i86 architecture processors.
The only way for an industrial system to be attacked is:
1) some idiot actually did it the hard way and interfaced a windows box to some physical I/O – and – interfaced it to the internet, or
2) somebody used a windows PC for OI and SCADA, and interfaced it to a PLC or similar embedded device – and – interfaced it to the internet – and – the hacker knows exactly the make and model of the PLC and is able to reverse engineer its command set.
Neither scenario is impossible, but both are highly negligent, and easily avoided. Rule #1: never connect a critical node to the internet unless it’s absolutely necessary, and through a VPN, and all engineering changes (including software updates) signed off by an IS committee of at least 4.
Do you really think the DoD is stupid and negligent enough to do this?
Jul 10, 2009 - 11:00 am 6. Meryl:When we will fight back?
Oh, I suppose about the time our State Department decides to support Hondurans who still like their Constitution.
Or maybe when Col. obama decides to make another slashing, riveting statement on behalf of freedom with regard to the situation in Iran.
Good grief. It’s all our fault. We have made the Norks feel so bad over the years–you know, because of the starving their people/executing the masses stuff.
Their self image is in the tank because of us, so when they go tippy-tapping around our corporate computer systems, that’s just the equivalent of TP-ing the superintendent’s house on Friday night after the big game.
If President Thug and his Chief of Staff Ballerina actually ever decide to “fight back” against the attacks against America that they have spawned in their endless 7 months in power, they’re going to have a to-do list that will keep them busy for the rest of their term (that would be about 20 months, I hope).
I don’t understand any idea that supposes we’re GOING to fight back. This crowd is trying to euthanize America via an international cockfight by all means possible. They are secretly grateful to the Norks and anyone else that initiates attacks of any kind.
Jul 10, 2009 - 11:37 am 7. Ellen K:I know that some of our national websites such as the White House and the NSA were under attack by this particular slew of cyberattacks, but I have heard NOTHING about the Citibank attacks. There’s been nothing in the news, but I was contacted and told that my card, along with many others, had been hacked. They are replacing the cards with new numbers, which tells me that this is a pretty serious breech. Was this also part of the cyberattack and if so, why isn’t the media discussing it?
Jul 10, 2009 - 11:45 am 8. Delia:7. Ellen K,
YIKES. I hadn’t heard about the Citibank hacking before!
I’m always telling my husband to not share his social security number and mother’s maiden name over the internet but he counters with, “Well isn’t that stuff online anyway with these banks?”
UGH. He’s probably right.
Jul 10, 2009 - 12:10 pm 9. Strawman:Just a reminder -
Attacking a website is NOT the same thing as attacking the core operations. In a properly designed enterprise system, the important stuff will be locked up well. The main page? No. And as Marc said, DDOS attacks are kid stuff.
This is a potato in the tailpipe. Annoying, but not really destructive. It’s the coke in the gas tank kinds of attacks that we need to be worried about, and like with the gas cap, we generally have them locked.
Jul 10, 2009 - 12:22 pm 10. zanne:Wasn’t O appointing an internet czar? Seems to me he made that announcement a few weeks ago. Interesting timing for this set of events. I wonder if it isn’t self inflicted to allow him to own this also. Remember we “can’t waste a crisis!”
Jul 10, 2009 - 12:32 pm 11. Ratatosk:*groan*
The current set of cyberattacks are coming from a distributed network of zombie PCs for the most part. In fact, I wouldn’t be all that surprised if some PC’s owned by the readers of PMJ are infected with a very similar sort of trojan. As a distributed attack, we have no way of verifying who is attacking, if its a government, a group of crackers that have loyalties to some government, a group of crackers that just happens to want to hit the US or what… there is no simple enemy to go jump on. Yes, it could be North Korea. It could be Iranian, using a botnet in Korea, dunno why they might want to distract us, do you? It could be Russian… it could be a group here in the US. It doesn’t matter WHERE the botnet comes from, on the Internet ANYONE can control those systems if they know what they’re doing. Hell, at this point you can go buy time on a botnet from the right places and have it do whatever you like, send spam, run a cracking script, attack US websites.
Further, lets talk about the ‘attack’. A distributed DoS attack is much like a sit-in. Basically, a whole bunch of people are blocking the front door to a publicly avail;able website for some period of time. It’s an annoyance… not an act of war… at least not in any sane mind. The real issues that involve actual attacks or compromises of government and corporate resources do get investigated.. DDoS attacks just aren’t worth investigating it would waste time and money.
As for Citibank, they’ve been hacked several times, I wouldn’t use them as a bank, personally. One of the training sessions I was in included an FBI agent that was involved in a Citibank hack from some time ago where Russian Mafia had hacked into a router owned by Citibank and were stealing a few pennies off of every transaction that went through (we call it a salami attack).
And finally, ANY corporate or government network has a public facing side and a private side… most have special networks inside their network for really sensitive stuff. DDoSing a website is just an annoying prank, tis not risking anything serious.
Jul 10, 2009 - 12:59 pm 12. Delia:Strawman, thank you for the straight talk. A lot of what you said went over my leetle blonde head but, I appreciate you setting the record straight.
Oddly, and, perhaps off-topic but:
Why do they tell you turn off your cell-phones in a hospital or doc’s office if things are so ’secure’?
I am NOT being paranoid. Much.
Jul 10, 2009 - 2:11 pm 13. "progressive"watch:The North K.s did us a favor. They let us test our system. This is nothing to the attacks we would constantly be under in a sophisticated cyberwar.
Jul 10, 2009 - 2:45 pm 14. BC:I know one or two things about the goings-on in this area, and things are a wee bit of a mess right now in cyberville, and pretty much another Bush legacy (with more to come….) The way botnets, for example, were allowed to grow so huge and widespread is inexcusable. Things are happening, though, but it’s pretty much all stuff away from the public eye, and press scrutiny has been wanting — oh wait, I forgot that our press is dying away, so we’re running out of people who scrutinized and investigate this sort of thing. In any case, never use the kids’ computer for anything important, be diligent in checking credit card statements, avoid casual use of ATM cards, use separate sets of ID’s and passwords for email, financial sites, online purchasing, blog sites and such, and especially social networking sites like Facebook.
Contemplate using a Linux system, maybe by reusing an older PC and installing Ubuntu or such, for when you want more security for non-goofing around web access. The more advance viruses and worms remain undetectable by most antivirus products for longer and longer periods (it looks as though HIPS systems — look it up — will need to replace current antivirus software in the not too distant future.) Web 2.0 security is a joke and talk of cloud computing is making hackers drool.
Jul 10, 2009 - 2:57 pm 15. Meryl:Maybe my amateurish paranoia has provided me with protection, based on BC 14’s suggestions.
As I look over my list of passwords and user names for about 30 sites that I regularly use (everything from finances to blogs and shopping), I don’t think I resuse the same name/password combo in any two of them! And they are TOTALLY different–not just tweaks on a basic id.
It was the only way I knew to protect myself in case someone figured out any of it. I just keep a current list of my info posted near my computer.
I also check bank activity EVERY day, credit card activity EVERY day and NEVER EVER use my debit card as a debit card (requiring that I enter a pin #)…I use it only where I can swipe it as a credit card.
Jul 10, 2009 - 3:06 pm 16. Charlie (Colorado):Strawman, sadly, I wish that were true. But it turns out that there are a bunch of things in more or less embedded uses, like ATM machines and machines controlling the power grid, that *are* running Windows.
I expect I’ll have a good bit more on this up before oo long.
Jul 10, 2009 - 3:26 pm 17. Strawman:Delia, different issue entirely. The theory is the same reason why they tell you to shut your phone off in an airplane during takeoff. They can’t prove that it won’t interfere with their electronic equipment, so they assume that it will.
How likely is it that it actually will interfere? Not very. But not impossible, either. And the lawyers are watching, and licking their chops.
Jul 10, 2009 - 3:27 pm 18. Strawman:Charlie, be careful when you say “running” the “power grid”. As I said, said, it’s not at all uncommon to use a windows box for SCADA. That’s not “running” anything, but it does give a very knowledgeable hacker with inside information a potential way to get inside the PLC if he knows what he’s dealing with.
In reality, I’d be a LOT more concerned about a much easier mode of attack; a company who has to hire a terrorist for fear of a discrimination lawsuit. If these facilities are going to be attacked, it’s going to be from the inside. And afterward, when we all ask why a terrorist was hired for a sensitive position, it going to be because…well…David Thompson can ’splain all of that in detail.
Suffice to say that our problems aren’t technological, they’re organizational.
Jul 10, 2009 - 3:33 pm 19. John Schau:T0 answer the question, we won’t fight back now. Nothing will be done until we return someone with a spine to the White House. Obama will just tell them he is “deeply concerned,” ask them nicely not to do it again, kiss their hands, bow at their feet, and leave.
Jul 10, 2009 - 5:32 pm 20. Delia:18. Strawman,
YIKES. Excellent points. It’s the ‘inside’ jobs that ARE a huge fear factor and yep, with all of the ‘PC’ crappola I wouldn’t doubt a scenario like the one you mentioned.
Remember soon after 9/11 when some black people were interviewed about ‘racial profiling’ and the black people said they were ‘fine’ with it as long as the ‘racial profiling’ was of Mid-Eastern people?
Funny how when they were ‘afraid’ of a certain ‘type’ of person they were so quick to feel that ‘racial profiling’ wasn’t such a bad idea.
Hmm.
Jul 10, 2009 - 7:00 pm 21. John Moore:Nonsense! The penalties for low impact hacking are far worse than for major financial embezzlement. You can go to club fed for simply reading someone else’s email. The laws regarding hacking, in fact, are overly harsh (for many cases) and not strong enough (for others). In other words, congress did what they do best when faced with something new and scary – passed poor laws.
Jul 10, 2009 - 7:42 pm 22. John Moore:Reportedly, this particular DDOS attack includes instructions to wipe at least the first megabyte of the PC’s hard drive once it is done attacking. The economic impact of this could be far greater than the DDOS attack itself.
If in fact the Norks cause a whole bunch of economic damage through computer viruses, they have committed an act of war. Don’t hold your breath for this administration to do anything about it, unless they hack Obama’s Blackberry.
Jul 10, 2009 - 7:43 pm 23. Kabud:>20. Delia:
the most critical profiling is `Russian` and any connection to them
forget about Islamists
in 2001, after 9-11 one official at the NATO headquarters actually said that Osama Ben laden or any existing islamist radical group could NO WAY had resources or intelligence to execute THAT
why did we have to swallow all this bullcrap from Washington on this non-existing Al-quada guys when no professional EVER believed any of this lies
The worst part is that the next one is definitely coming and with lies like we are fed with from the idiot tv box our nation is not ready and MANY people will die wich is totally unnecessary
Jul 10, 2009 - 7:44 pm 24. RandyChandler:Fight back? Well, Pelosi and her chastened CIA could hire some of those Soros trolls to bore our cyber enemies into a stupor and then hit them where it hurts with Obama’s Greatest Speechifying Hits.
Jul 10, 2009 - 7:49 pm 25. Strawman:Say what? How do you do that with a DDOS? That’s like performing surgery with a megaphone.
Jul 10, 2009 - 7:56 pm 26. John Moore:Not at all. DDOS these days is done by infecting numerous computer with viruses/worms (”bots”) which then flood target sites with traffic. Those same bots, if they have the code or can download it, can be commanded to do anything else a program is authorized to do on a PC, which includes wiping the disk.
Jul 10, 2009 - 8:18 pm 27. Strawman:You got the cause and effect backward. The infection causes the DDOS, not the other way around.
Jul 10, 2009 - 9:29 pm 28. Dave:What can we do?
Jul 10, 2009 - 10:03 pm 29. James S.:Shut them out.
The information routes in and out of N. Korea are few because of the tight control by their freaky government. I shouldn’t be too hard to close off enough outside access to really mess things up. Once the ruling elite find they can’t access online gambling and pirated videos, they will quickly crumble.
When will we fight back? Who says we are not or that we havn’t? Most countries that would attack us would not advertise that we hammered them electronicly if they could avoid it. Unfortunately, a cyber war is largely invisible to the average person until they can’t read their email.
Jul 10, 2009 - 11:34 pm 30. Caestal:“As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity Black Hole called the People’s Republic of North Korea spontaneously decided to hack the websites of another country’s government and largest corporations.”
Jul 11, 2009 - 2:44 am 31. James S.:Shows a complete lack of understanding of computer networking. Ratatosk was kind enough to go over some of the flaws in that logic. Yes, the government North Korea is possibly the source of the attacks, but they are just one of a long list of possibilities, and not even the most likely one. Frankly, there are a lot of folks out there who see themselves as hackers/crackers/whatever that are not affiliated with any particular government, but that would do this for the thrill of it. A DDOS takes very little skill anyway; frankly, it is something script-kiddies can do with a little effort. (script-kiddies are folks who have little or no technical knowledge, but download hacking software from hack sites and utilize it as it comes to them, more or less).
Actually, I just found an article on Strategypage.com that talks about this subject. Good reading.
http://www.strategypage.com/htmw/htweap/articles/20090710.aspx
Jul 11, 2009 - 3:30 am 32. John Moore:Strawman, what is it about the word then that you don’t understand?
Jul 11, 2009 - 9:20 am 33. Me:Looks like cyber warfare is the next Cold War…
Jul 11, 2009 - 11:00 am 34. stex:Call up South Korea and China and say (don’t ask for permission) and give the exact time and date. We are going to fly two or three curise misslies with neurton bombs over North Korea and blow them up.
Would take care of North Koreas computers, electricty capacity, cars ect.
Out the computer hacking business for a little while.
Jul 11, 2009 - 11:46 am 35. Gary Ogletree:The best defense is a good offense. Fat chance with Obama. He’s more interested in changing the playoff schedule for College Football.
Jul 11, 2009 - 7:22 pm 36. Douglas:Why don’t you ever hear of someone hacking the IRS? Get in and insert a command to delete any income credited to your SS number.
Jul 11, 2009 - 7:50 pm 37. Dr Strangelove:Obama is a weakling. On his own accord he won’t do anything. Thankfully, we have individuals capable of knowing what the proper response should be in the event something like this escalates beyond a probing event.
Jul 12, 2009 - 9:04 am 38. Meryl:37. Dr Strangelove
Where’ve you been all these years??!!:) I’m thinking we might be needing some help from someone like you!……is there any chance there are some unknown “individuals capable of knowing what the proper response should be in the event” of a “president” knowingly violating the constitution and setting our nation up for destruction?
I do keep wondering if it’s really OK with those yahoos in Congress. I guess it is, since none of them are STOPPING him. (talking doesn’t count. He has to be stopped)
Anyway, I liked your comment, and I agree with you that, buried in the military/IT complex somewhere there ARE actually responsible individuals who will competently do their duty.
Now if we could just get someone like that in the White House. I guess they’d have to get by the ballerina Chief of Staff first.
Jul 12, 2009 - 3:24 pm 39. Dr Strangelove:38. Meryl. There’s a clause in the oath of office I, and every other member of the armed forces, took that states: “…that I will support and defend the Constitution of the United States against all enemies, foreign and domestic…” The people running the show better remember that. Though I have long retired from the Air Force, I expect the Joint Chiefs of Staff to keep a wary eye on the policies being formulated and implemented by the President and Congress and uphold their oath for the sake of the Republic and American citizens.
Regarding our national IT infrastructure, while it can’t be 100% protected, those vital to the security of the nation can. The Army, Navy, Air Force, as well as civilian agencies all have cyber experts that do a great job of protection. Recently, the DoD set up a new “Cybercommand” in San Antonio that should begin to pay dividends shortly.
Jul 12, 2009 - 5:46 pm 40. Meryl:39. Dr Strangelove…thanks for your further comments…
Do you believe that the Joint Chiefs actually see themselves functioning with distinct responsibilities, regardless of how they might impact the Executive?
Do they serve “at the pleasure of the President” so that he can just dump them if they make him nervous?
Jul 12, 2009 - 7:09 pm 41. Caestal:In the end, the President is also the Commander in Chief, so yes,the joint chiefs report to him, and are required to follow any legal orders…
Jul 13, 2009 - 1:31 am 42. Paul in MI:My first thought is this: If we did fight back, what makes you think you’d hear about it? Our interet warfare capabilities and any operations involving them are highly secret for obvious reasons. So arguing about what we’re doing or should be doing is completely pointless.
Jul 13, 2009 - 8:32 am 43. Dr Strangelove:40. Meryl. The JCS must operate within guidelines established by the Secretary of Defense who obviously takes orders from the President. They must be politically savvy to both attain the rank and position and keep it…but, that said, they can always slow-roll things much as they did during the Clinton administration. In doing so they can somewhat affect policy and decisions.
41. Casestal. You are correct, the operative words are ‘legal orders.’
Jul 13, 2009 - 1:53 pm 44. Ratatosk:UPDATE!
There is now some indication that much of the DDOS attack actually came out of the UK, not North Korea. However, it could be that NK used a UK botnet, or that a UK group used the botnet, or that Iran used a UK botnet etc… so it still doesn’t give us an idea of WHO we would counter-attack.
Jul 14, 2009 - 1:03 pm 45. Delia:Hire enough Acorn haxors and the cyber world is yours.
Jul 14, 2009 - 8:36 pm