Sunday, September 20, 2009

The 'Cyberwarfare' Problem

Last week I attended ArcSight's annual user conference in Washinton DC. More about that in a later post. During the conference, ArcSight hosted a panel discussion on cyberwarfare. In DC, where many of ArcSight's biggest customer are based, this is a hot topic, and there will be a lot of time spent discussing it and a lot of money spent on defending against it, maybe.

What struck me about the panel discussion were two comments, both made by James Lewis, one of the panelists, and a director at the Center for International and Strategic Studies. At one point, Mr. Lewis invoked Estonia as an example of state-sponsored cyberwarfare, and made the comment that, "the Russians are tickled that they got away with it." Not ten minutes later, an audience member asked a question about retaliation against cyber-attacks. Mr. Lewis responded to the question by pointing out the problem of attribution. That is, from the logs that the victim systems generated, the IP address(es) recorded can't reliably be used to identify the actual individual(s) responsible for the attack.

Now, I don't intend to pick on James Lewis. It just so happened that one person on the panel expressed the paradox of cyberwarfare. The attribution problem is a big problem for all outsider attacks, not just cyberwarfare. A decade ago, security analysts were calling it "the legal firewall" because US-based hackers would first hack computers in China, Indonesia, Venezuela, or another country that doesn't openly cooperate with US law enforcement, and then hack back into the US from there, causing an investigative barrier that would hinder or prevent an investigation being able to get back to the attacker's actual location.

So knowing that there's a very real problem with being able to identify the source country for Internet-based attacks, it stands to reason that using the same limited forensic data to not only identify the actual source of an attack, but to determine that it is in fact state-sponsored, and not, say, a grassroots attack armed by a teenager, is a stretch. And for that reason, the question of cyberwarfare is an open one. Until a government actually comes forward and claims responsiblity for an attack, it's unprovable.

So as the government spends $100M on cyberdefense over the next six months, it's important to try and answer the question, "What is the military actually defending against?" At the very least, it's fair to say nobody knows for certain.

1 comment:

jbmoore said...

There's a lot of hype on the subject of cyberwarfare. I think a distinction needs to be made between actual network based warfare and espionage. The smart attackers will conduct espionage on you and "own" your network by maintaining a stealthy presence (see and Cyberwarfare is much more problematic and as Marcus Ranum points out in the #4 podcast, subject to the "Blind Mike Tyson Effect". Espionage is a stealthy, covert means of intelligence gathering and fighting. It's not blatant and dramatic like the examples of cyberwarfare that pundits and so-called experts use. While hyperbole like this helps people like us keep our jobs, the end result may be that none of us are any safer than we are now because resources and people are being allocated and deployed improperly. While Windows has gotten hardened as an OS, it's still the easiest operating system to compromise through its browser or Adobe Reader via client side attacks. You can beef up defenses all you like, but if you are primarily running Windows systems on your network, you are still very vulnerable to just about any zero day client side or phishing based attack (

Look at banks.Their internal security is excellent for the most part. The bad guys don't target the banks themselves. They go after the weakest links, the customers' systems or the credit card transaction clearinghouses. Espionage will work the same way. The spy agencies will target specific executives and their computer systems. (

So, I concur with your reservations. The elephant I see in the room that no one speaks about is making the vendors liable for defective or poorly written software that was not adequately vetted for security bugs. They sell us crap under flimsy EULAs and get away with it even though it ultimately costs them and us more money to fix and defend.