Nato warns of strike against cyber attackers

From the NetSec mailing list...

At The Times & The Sunday Times: breaking news & today's latest headlines

June 6, 2010
Nato warns of strike against cyber attackers
Michael Smith and Peter Warren

NATO is considering the use of military force against enemies who launch
cyber attacks on its member states.

The move follows a series of Russian-linked hacking against Nato members and
warnings from intelligence services of the growing threat from China.

A team of Nato experts led by Madeleine Albright, the former US secretary of
state, has warned that the next attack on a Nato country �may well come down
a fibre-optic cable�.

A report by Albright�s group said that a cyber attack on the critical
infrastructure of a Nato country could equate to an armed attack, justifying
retaliation.

Article 5 is the cornerstone of the 1949 Nato charter, laying down that �an
armed attack� against one or more Nato countries �shall be considered an
attack against them all�.

It was the clause in the charter that was invoked following the September 11
attacks to justify the removal of the Taliban regime in Afghanistan.

Nato is now considering how severe the attack would have to be to justify
retaliation, what military force could be used and what targets would be
attacked.

The organisation�s lawyers say that because the effect of a cyber attack can
be similar to an armed assault, there is no need to redraft existing
treaties.

Eneken Tikk, a lawyer at Nato�s cyber defence centre in Estonia, said it
would be enough to invoke the mutual defence clause �if, for example, a
cyber attack on a country�s power networks or critical infrastructure
resulted in casualties and destruction comparable to a military attack�.

Nato heads of government are expected to discuss the potential use of
military force in response to cyber attacks at a summit in Lisbon in
November that will debate the alliance�s future. General Keith Alexander,
head of the newly created US cyber command, said last week there was a need
for �clear rules of engagement that say what we can stop�.

The concerns follow warnings from intelligence services across Europe that
computer-launched attacks from Russia and China are a mounting threat.
Russian hackers have been blamed for an attack against Estonia in April and
May of 2007 which crippled government, media and banking communications and
internet sites.

They also attacked Georgian computer systems during the August 2008 invasion
of the country, bringing down air defence networks and telecommunications
systems belonging to the president, the government and banks.

Alexander disclosed last week that a 2008 attack on the Pentagon�s systems,
believed to have been mounted by the Chinese, successfully broke through
into classified areas.

Britain�s Joint Intelligence Committee cautioned last year that Chinese-made
parts in the BT phone network could be used to bring down systems running
the country�s power and food supplies.

Some experts have warned that it is often hard to establish government
involvement. Many Russian attacks, for example, have been blamed on the
Russian mafia. The Kremlin has consistently refused to sign an international
treaty banning internet crime.

Obviously NATO is not concerned with proving the culprit of an attack an
albeit close to impossibility. Considering that many attackers
compromise so many machines, what's to stop someone from instigating. I
can see it coming now:

hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000
hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000

So NANOGer's, what will be the game plan when something like this
happens, will you be joining NATO and pulling fiber. I wonder when all
types of warm-fuzzy filtering will be drafted into networking: "Thou
shall re-read RFC4953 lest you want Predator strikes on your NAP
locations...

So NANOGer's, what will be the game plan when something like this
happens, will you be joining NATO and pulling fiber. I wonder when all
types of warm-fuzzy filtering will be drafted into networking: "Thou
shall re-read RFC4953 lest you want Predator strikes on your NAP
locations...

We have a large supply of tin hats on stock ...

My .02

Jorge Amodio wrote:

So NANOGer's, what will be the game plan when something like this
happens, will you be joining NATO and pulling fiber. I wonder when all
types of warm-fuzzy filtering will be drafted into networking: "Thou
shall re-read RFC4953 lest you want Predator strikes on your NAP
locations...
    
We have a large supply of tin hats on stock ...

My .02
  
All humor aside, I'm curious to know what can anyone truly do at the end
of the day if say a botnet was used to instigate a situation. Surely
someone would have to say something to the tune of "better now than
never" to implement BCP filtering on a large scale. Knobs, Levers, Dials
and Switches: Now and Then (please sir, may I have some more ?) is 7
years old yet I wonder in practice, how many networks have 38/84
filtering. I'm wondering why it hasn't been implemented off the shelf in
some of the newer equipment. This is not to say "huge backbones" should
have it, but think about it, if smaller networks implemented it from the
rip, the overheard wouldn't hurt that many of the bigger guys. On the
contrary, my theory is it would save them headaches in the long run...
Guess that's a pragmatic approach. Better that than an immediate
pessimistic one.

So let's say a cyber-attack originates from Chinese script kiddie.

Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark,
Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia,
Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States
will all respond by invading China? Is NATO trying to start a war here?

There's no mention in the article about any kind of electronic response to
the attack.

The bots don't need to spoof source addresses... and therefore the filtering associated with preventing that while a solid belt and suspenders exercise is by no means a panacea.

Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country.

So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort.

Note i'm just using Russia and China in examples here, no specific reason that it could only be them.

If I didn't know any better, I'd say they let Bush write their policies.

Packets of mass destruction?

The issue of attribution -- and the extreme difficulty of doing it in the online world -- is *very* well understood in Washington, even at the policy-maker level. I'm currently a member of a National Academies study committee on "cyberdeterrence" (http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); we've discussed that point ad nauseum. Consider this text from p. 9 of our letter report:

  "for many kinds of cyberattack the United States would almost certainly not be able to ascertain the source of such an attack, even if it were a national act, let alone hold a specific nation responsible. For example, the United States is constantly under cyberattack today, and it is widely believed (though without conclusive proof) that most of these cyberattacks are not the result of national decisions by an adversary state, though press reports have claimed that some are. In general, prompt technical attribution of an attack or exploitation—that is, identification of the responsible party (individual? subnational group? nation-state?) based only on technical indicators associated with the event in question—is quite problematic, and any party accused of launching a given cyberintrusion could deny it with considerable plausibility. Forensic investigation might yield the identity of the responsible party, but the time scale for such investigation is often on the order of weeks or months. (Although it is often quite straightforward to trace an intrusion to the proximate node, in general, this will not be the origination point of the intrusion. Tracing an intrusion to its actual origination point past intermediate nodes is what is most difficult.)"

But read the next paragraph, which discusses other ways to figure out who did it.

We can hope that no one in Washington (or Beijing or Moscow or the capital of Elbonia) is stupid enough to rely on IP addresses of the actual attacking machines as a definitive indicator. Given how widely understood that is, it's not even on my list of things to worry about. The question that report is tackling is this: *if* there is a serious online attack on critical infrastructure -- say, turning off some generators with extreme prejudice (http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and *if* you know who did it, is a "kinetic" response on the table? This has nothing to do with the botnet du jour, nor with Sen. Lieberman marching in to your NOC with a subpoena for your "enable" passwords. And while people in Washington (or Beijing or Moscow or the capital of Elbonia) can be quite stupid, they're (usually) not quite as stupid as as all that. And yes, serious mistakes can be made. One more quote from the report (p. 8):

  "History shows that when human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they often substitute supposition for knowledge. In the words of a former senior administration official responsible for protecting U.S. critical infrastructure, 'I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of a [cyber]attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.'"

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

So let's say a cyber-attack originates from Chinese script kiddie.

Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark,
Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia,
Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States
will all respond by invading China?

That leaves out the important aspect of selection. You can bet that, if they do this, they will pick
a more suitable target, say one without strategic rocket forces.

Is NATO trying to start a war here?

Militaries tend to think in terms of military responses.

What any of this has to do with configuring routers escapes me.

Regards
Marshall

We must distinguish between the m.o. of an actual response, and deterrence. If we speak of deterrence, I wrote about it not long ago.

Deterrence online is one of the biggest idiocies of the past couple of years. There are some interesting research possibilities in the subject matter, but not as it is portrayed today -- a cure-all strategy.

Strategic experts are very comfortable with Cold War strategy following around 70 years of practicing it, so when asked to deal with the Internet, they ran to deterrence.

In order to have deterrence, you require first an ability to respond to an attack. On the Internet, you may never find out who is attacking you, and data may be intentionally misleading when you think you do have some bread crumbs.

It is just virtually impossible to tell who is behind an attack from technical data alone.

Thus, deterrence against whom?

You may say that by setting an occasional example, it doesn't matter who you attack. That is mostly false as well.

If we do know who is attacking us, then consider the players can now be (and indeed are) unaffiliated individuals or groups who may not care about the infrastructure of the country they are in nor have any infrastructure to speak of (which can in turn be targeted). Any attack will likely be against a third-party that has been hacked, i.e. compromised.

And if you're dealing with large-scale attacks, such as DDoS, responding in kind (with DDoS, botnets, etc.) will also hurt the Internet itself with collateral damage.

There are some particular instances where deterrence does work online, and it may also be used as a general addition to real-world deterrence (we have cyberweapons -- beware!), but these are just points that would muddy the water in the wider argument before us.

I think supporting such folly is generally folly itself. For further reading, I'd point you to this comprehensive and quite excellent document: "Cyber Deterrence and Cyber War," by Martin C. Libicki:
http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf

  Gadi.

I think Jay is worried about steps operators may have to take during such an eventuality of an attack, not to mention the collateral damage to the Internet infrastructure if DDoS is what they have in mind.

  Gadi.

Have no fear geolocation is here, you are not in peril. It will be a
surgical strike. If Google and others are willing to assist, they will know
exactly where to send the JDAM.

Chrome now collects data from your wireless card if you let it. When you are
asked where you are, Chrome then also records any IP and MACs it hears over
your card (or so I am told). The same is being done on cell phone OS.
Being on a GRE tunnel will make no difference.

http://www.google.com/support/chrome/bin/answer.py?answer=142065&hl=en

http://google-code-updates.blogspot.com/2008/10/introducing-gears-geolocatio
n-api-for.html

http://news.cnet.com/8301-30684_3-20006342-265.html

Here is one commercial application of this process.

http://www.skyhookwireless.com

Cowering under my desk,
Jim

Military reply doesn't have to mean bombs and guns. There is nothing
keeping it form mean offensive cyber counter attacks. This would mean
manage the battlefields

So let's say a cyber-attack originates from Chinese script kiddie.

Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark,
Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia,
Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States
will all respond by invading China? Is NATO trying to start a war here?

Bigger tin hats required then ...

Changes the meaning of "guns a blazing"

Bryan

Buy 10,000 shares of every South Korean company you can find, short them, then
launch an attack from Seoul. Then sit back and profit.

Oh, quit looking at me like that. You know you were all thinking it.

Actually I was thinking of my neighbor's noisy dog and what a predator
strike to his house would do.

Buy 10,000 shares of every South Korean company you can find, short them, then
launch an attack from Seoul. Then sit back and profit.

Oh, quit looking at me like that. You know you were all thinking it.

Yes and then deposit the bounty on a Nigerian bank ...

I wonder why there is so much focus on the bus and the bus driver that
transported the suicide bomber without knowing about it.

Sometimes feels that nobody cares to fix the crappy software that gets
shipped with almost every new computer going to the hands of a monkey.

Sigh ...

Seems that the ROI of fixing stuff is much lower than dealing with the
potential consequences of something happening. Anyway don't worry 2012
is getting closer ...

Cheers
Jorge

Lets try to seperate the attacks into those that we (NANOG) have dealt with and those that NATO are referring to - and there is *no* overlap between the two.

Attacks such as botnets, hpings, compromised machines, DDOS attacks, site defacements, prefix hijacks is what this list deals with, sometimes well and other times not.

The attacks NATO is referring to are ones like causing trains to crash into each other, attacks causing oil and gas pipelines to overload and explode, attacks altering blood bank data, attacks poisoning the water supply, etc. - all of which can be done remotely.

NATO is in no way (unless they have been out in the sun too long) condoning an attack for a DDOS attack. I think NATO is discussing attacking if 5,000 people die from some cyber attack as listed above (I have many more scenerios).

-Hank