Chertoff Advocates Cyber Cold War 115
Jack Spine writes "The US and allied countries should formulate a doctrine to apply the principles of nuclear deterrence to cyber attacks and cyber espionage, according to former US Homeland Security secretary Michael Chertoff. No matter that it's very difficult to attribute the source of cyber attacks — just take punitive action against the platform being used to attack, says Chertoff."
Act against technologies? (Score:5, Insightful)
...nation states should be able to act against technologies in countries being used as a platform for attack...
So, nuke Redmond?
False flags abound (Score:1, Insightful)
Soon even the smallest of countries can wield the destructive force of a superpower: Just make it look like your opponent attacked the USA and the USA will do your dirty work.
Stupid, stupid, stupid. (Score:2, Insightful)
If you've spent 2.3 billion to construct another power plant and you are too lazy to actually staff it, something tells me an extra $150,000 to run dedicated lines from it to your main office is just a drop in the bucket.
If we can lay a direct telephone line between Washington DC and Moscow to prevent a nuclear war, something tells me we can afford to lay some cable 10 miles to prevent some "cyber cold war"
shooting the messenger (Score:5, Insightful)
Just like we took punitive action against Logan Airport and United Airlines for 9/11? Oh, right.
When "our adversary" uses the likes of Google or Akamai or British Telecom against us in a cyberattack, we're going to return fire on those platforms?
Hey, I'm putting a scheme together about the RIAA...
"Cyber" (Score:5, Insightful)
"Cyber" is the vague sort of word that Government Management uses in an attempt to sound technologically astute. As soon as you hear a phrase such as "cyber war", you know you are dealing with a management automaton paddling beyond its depth.
It's interesting to note that this term is a back-formation made from "cybernetics":
"From Greek kubernts, governor, from kubernn, to govern."
Makes it sound as though this is another war that being invented by the government to spend the people's money to take the people's freedom away.
Internet don't work like that. (Score:3, Insightful)
Anyone can fake the origin of a attack, so the basic rule about this is: never attack the attackers. If you do this, you can be used as a means to attack others!.. like your cpu power be used as part of a DDoS against a third party.
Internet just don't work like that.
Re:False flags abound (Score:5, Insightful)
For once, this is a proposal from the security theater industry that isn't batshit insane. You DDOS us, we null-route the offending nodes, or we politely ask whoever supplies your country with connectivity to do it on our behalf. You DDOS an airline reservation system, stranding millions, and we null-route your country until its uncooperative ISPs learn to play nice. You DDOS an air traffic control system so hard that you actually start killing people, and we not only null-route the country until the dust settles, but we also reserve the right to shut down the offending data center with a LART, presumably in the form of an earth-penetrating mallet. (And we expect that you will do the same to us, if our roles are reversed.)
The present situation is that we run around like chickens with our heads cut off, make vague fearmongering sounds about "what if", and apply for increased funding. That'll happen too, but at least this way there'll be some ground rules as to what sort of retaliation is permissible. Go ahead and spy on us (if we catch you, we'll block you). Try to poke at us (but don't do much damage) and we'll get annoyed. Break our toys, and we'll break your toys. Do collateral damage, and the gloves come off.
Ahahahah! Fools! (Score:5, Insightful)
Seems to me these people still do not understand the threat. This is not warfare. It is vandalism, petty theft, corporate espionage and maybe some extortion. You cannot fight crime of this sort with a cold-war strategy. Several reasons:
This strikes me as basically an over-aggressive, "bully"-type strategy by people that like to employ violence, but are not very bright. It is doomed to fail from the onset. The situation is a bit similar to the "war on terror", but more like a "war on (petty) Internet crime". Fighting crime with military means has never worked and will never work. The way to fight crime is by I) better securing your property (but especially the government and military seems to be hugely incompetent in that area) and II) standard police work. The added complication is that this is an international problem, something the US is notoriously bad at tackling, since they do not understand the rest of the world at all. But bombing shoplifters is not something that is going to work, ever, and even not very bright people should be able to understand that.
why the US uses smart bombs instead of nukes (Score:4, Insightful)
For example, in the absence of any intelligence, other than that "bad guy" insurgents are hiding in a certain city, then a nuclear bomb would be more effective than a smart bomb for causing harm to the enemy. The drawbacks of such a brutal and lazy strategy are pretty obvious, from huge loss of innocent life to the possibility that most of the bad guys survive the nuclear attack (maybe they're in a bunker or spread out so that a nuclear burst takes out only a few at a time). A smart bomb would be useless, a bad guy is more likely to die from traffic accidents.
OTOH, intelligence on where exactly the "bad guys" are leads to the smart bomb being much more effective. A smart bomb delivered right to the basement is more effective than a nuclear bomb blindly lofted a dozen miles away.
That sums up what I see as the first problem with Chertoff's proposals. Since the force is not focused nor based on decent intelligence, it doesn't harm the foe and harms innocents instead.
Second, unfocused harm has the tendency to warn the enemy that you know something before you get a chance to significant damage to them. A worst case here would be a rigid retaliation procedure that a foe could use to map out the sensitivity of your defenses and deliberately trigger unpopular retaliation attacks on innocent targets.
As it stands, there apparently is a large scale, systematic looting of US (and developed world) knowledge by unknown parties (often thought to be the Chinese government or Russian underworld). There should be a price paid for trying to steal millions or billions of dollars of information. I think that Chertoff's suggested approach is a losing strategy that doesn't help the US mitigate the loss from such activities.
Of course it is. (Score:4, Insightful)
Terrorism is only scary to people who shouldn't have been let past the third grade. Even irrational people understand their risk of death by terrorism is pretty much nil, compared to say their risk of horrible death involving decapitation and other hilarious ends while driving.
"Cybersecurity", though?
Computers are strange, wondrous magic boxes for the vast majority of the population. Even for the supposed tech whiz 'next generation'. Oh, sure, kids these days understand Twitter. They sure as hell don't understand TCP/IP. What better platform, then, to force Americans to do what we do best? Wet our pants in baseless fear and beg our government to strip us of our freedom.
OH NOES OSAMA IS WHISTLIN' INTO A PHONE AND LAUNCHING NOOKS FROM SATELLITES! :O SAVE ME, GOVERNMENT!
*sigh*
Let's have zero tolerance for zero tolerance! (Score:2, Insightful)
Destroying the countries where attacks originate is a broken doctrine, IMO. Use of force should always be measured, and focused, lest history revile us. The ease of false flag operations in "cyberspace" make the nature of our responses to attacks even more important. I would dismiss Chertoff out of hand were it not for the possibility that, rather than harmless BS, talk like this may encourage a doctrine that will allow our government to start wars and engage in various intrigues, to evil ends. Chertoff co-birthed the anti-Christ fetus disingenuously called the "USA PATRIOT" act, so we should tell him to take his "overwhelming force" and sell crazy some place else. We seem to be stocked up already.
Re:I don't necessarily see a problem (Score:3, Insightful)
You're right. An eye for an eye, a tooth for a tooth, and soon you need seeing-eye dogs and dentures.
With two million botted machines in the US alone (a conservative estimate), you could piss off a lot of homies, too. I don't think Chartoff realizes just how many pawns there are, ready to march, and give him a bad day. That we don't consider those pawns as attackers-in-waiting is a fool's blindness.
Re:Excellent idea (Score:3, Insightful)
The other sad thing is that we still haven't paid for it.
There is no way it was successfull for the US, it was a stupid and unnecessary pissing match from day one. An embarassment for the country. I am still against having a standing army. We have no need to have forces outside of our borders. Its a shameful waste.
-Steve
Re:Act against technologies? (Score:4, Insightful)
Nah, someone will just root some of the US militarise own shitty, poorly patched windows NT boxes and use them as a platform for attack.
The US military will then MAD it's own network into the ground to show them who's boss.
Or even better.
If I want to take down some website, I don't have to do the hard work any more.
Just find any insecure app or server in the same server farm and use it to launch some trivial attack against the US government.
The US government then does my attack for me, DDoSing or blackholeing the entire datacentre and my target.
I've heard enough silly ideas over the years for systems of actively attacking machines which attack a network, sometimes in an automated fashion.
Most automated ones are trivially subverted to use against third parties and the non-automated ones depend on the people in charge being able to find their arse with both hands... unfortunately it's the military.
Re:My Proposal (Score:1, Insightful)
I second that. Chertoff was the idiot that claimed in the days afterward that the devastation Katrina caused to New Orleans was unexpected. Which is a load of crap given that people had been warning for decades that a major hurricane rolling over New Orleans would indeed be a complete disaster, the preparations for the possibility were inadequate, and there were several close calls that made it obvious (e.g., hurricane Ivan in 2004). What kind of head of the "Department of Homeland Security" wouldn't know about the top one or two potential natural disasters in the USA? It's like being surprised if a major, devastating earthquake happens in California, the other top one or two -- DUH! You may not know when it's going to happen, but, no, it's not a "surprise" when it does. It's a rarity, but inevitable. That's why you make big investments in preparations and you act decisively if you have a few days of warning.
The part I can't figure out is why Chertoff didn't lose his job like all the other incompetent people at the top that were involved in that fiasco, because he was just as clueless and ineffective.
Based on past performance, the chances he's got things right on the risk of "cyber warfare" are pretty slim. So, yeah, ignore him.
Re:Of course it is. (Score:1, Insightful)
I've met perfectly well-educated people who think that the new rules for liquids on airliners are a great enhancement of their safety. There are lots of brilliant people who can't do arithmetic.
Re:So! Skeletor Advocates Drinking of Human Blood? (Score:4, Insightful)
the morality may be flawed.
"May be?" Saying the morality of this "may be flawed" is like saying my pet unicorn "may be flawed". There is no morality in it, period. It's completely immoral, plain and simple. The Stasi are evil, and so is Chertov. But it is logical to hire a man without morals to head an immoral agency that should never have existed in the first place.