Annemiek's weblog

A quick entry in between.
At the moment I am looking at legal opportunities/problems regarding cyber security and something interesting popped up on a Dutch news site. (English article)

”..[he] is accused of hacking into 97 United States military and NASA computers in 2001 and 2002, using the name ‘Solo’. The computer networks he is accused of hacking include networks owned by NASA, the US Army, US Navy, Department of Defense, and the US Air Force.”

According to the hacker himself he was looking for prove of aliens (100% sanity?- I wonder). The damage done was around US$700,000 and McKinnon can now face a sentence of 70 years in the US for his hacking.

If the treaties talked about would not exist, the hacker would have likely faced trial in the United Kingdom. Well-managed relations with other nations are thus of high importance for the US, if it wants to convict hackers from other nations in this country. Would it set a good example for international cooperation?

Posted by Annemiek Moraal at 01:06 PM | Permalink | Comments (0) | TrackBacks (0)

Previous posts have slightly touched upon the topic of attribution, however, as it is a very important issue I wanted to dedicate a single entry on it.

If the US decides to implement an offensive policy with respect to cyber security, and a cyber attack is taking place, how to attribute the attack? Can you assess for sure who attacked you?

Some cases have taken place whereby North-Korea or China were pointed out as being part of state- sponsored attacks. However, no one seems to know for sure.

“Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible.”

“With the administration cyberreview there are many government agencies orbiting around the policy debate that have an interest in pointing to [this incident] as evidence with obvious implications”.

However, another article found describes perfectly some caveats.

“….going to war – cyber, or otherwise – without any proof is a poor and dangerous method of conducting international relations.”

It is a difficult issue and many have written entries/articles on it. Some say attribution is possible, whereas others say it is 100% impossible. Who to believe?

“Structure cyberspace like airspace or territorial waters with designated areas of state responsibility. In other words, each nation controls and is responsible for its own cyberspace.”

My instant reaction: Is it really this ‘simple’?

Posted by Annemiek Moraal at 10:05 AM | Permalink | Comments (0) | TrackBacks (0)

According to a Dutch news site nu.nl, the new iPhone -worm is building botnets.
The internet provider XS4ALL, communicated this. It recorded an increasing amount of traffic on its network of iPhones having T-Mobile and the Australian Optus as provider.

The worm only attacks iPhones which have been so-called “jailbreaked”; a jailbreak lets users of the phone install software on the phone which Apple did not approve. Any user who used a jailbreak and then forgot to change the common password is subject to the worm and becoming part of the botnet.
It was stated that this worm “steals” personal information such as pictures and e-mail addresses.

Now, the above might seem rather unrelated to whether or not an offensive policy should be in place. However, as iPhones are now also connected to the internet and stories like the above become common news, the USG should not only consider cybersecurity regarding PCs and laptops. More and more Americans are using iPhones & people working for the USG are part of this. Offensive policy should consider the “state of art” at any point in time including any consequences for national security, how difficult this might be for policy decisions.

Posted by Annemiek Moraal at 06:19 PM | Permalink | Comments (0) | TrackBacks (0)

“Homeland Security officials opened a $9 million operations center to better coordinate the government’s response to cyberattacks.”

Napolitano - Secretary of DHS- opened the new National Cybersecurity and Communications Integration Center in Virginia.

Lately, it seems more steps are being taken by the USG to become more secure regarding cyber. However, we must be critical as this might just be another center in the whole spiderweb-like structure of the USG organization. Will bureaucracy invent it from proper working? Will this be the solution to all?

Additionally, the article talks about the new cyber coordinator, who will be the policy advisor. This position is still open and accordingly, President Obama is involved himself in finding a capable person for the spot.

Will this mean that in the meanwhile the USG will stick to the policy right now in place? And it surely depends on this person which direction will be taken on this issue.

Posted by Annemiek Moraal at 01:28 PM | Permalink | Comments (0) | TrackBacks (0)

After another hunt on the internet I found the following:

“… [It] provides assessments of the strategic and economic consequences of possible cyber-attacks and cyber-assisted physical attacks. It also investigates the likelihood of such attacks and examines the cost-effectiveness of possible counter-measures”

=>Strategic and economic consequences of cyber attacks is one way to look at the effects such an attack can have. Of course there are other issues at stake, however, these two can be used for justification when one wants to convince (or not) others on what kind of policy to implement regarding Cyber security.
=> Furthermore, the numbers provided on cost-effectiveness of possible counter-measures is of interest as well. Too bad I was not able to find any reports or numbers on their website (only general info on the USCCU was found).

After a further search on their website, the USCCU check-list was found. It divides the vulnerabilities into 6 areas and subdivides these into smaller areas. The six are

1) Hardware Vulnerabilities, 2) Software Access Vulnerabilities, 3) Network Vulnerabilities, 4) Automation Vulnerabilities, 5) Human Operator Vulnerabilities, 6) Software Supply Vulnerabilities.

The document itself is rather comprehensive as approx. 28 pages are filled with questions relating to cyber security.

It is a good start. Do one might wonder whether a plain individual or an organization not aware of risks are going to sift through all these pages and questions to secure oneself better.

Posted by Annemiek Moraal at 03:24 PM | Permalink | Comments (0) | TrackBacks (0)

That’s the question!

During research on the internet I found a book written by the National Research Council, provided online by the Computer Science and Telecommunications Board (CSTB) named “Technology, Policy, Law, and Ethics regarding US Acquisition and Use of Cyber Attack Capabilities” (2009). It is quite a read though very interesting as it actually deals with many issues that are concerned when discussing whether the USG should implement a policy directed towards an offensive one or to stick with defensive.

=> At first, the book distinguishes between an cyber attack and cyber exploitation. The latter being purely for information gathering and not to be destructive. This could suggest that cyber exploitation would not fall under the term of ‘offensive’ as it is not seen as being a counter-attack. This coincides with discussions regarding intelligence gathering of China on the US and vice versa.

There is a tension bw a policy need for rapid response and the technical reality that attribution is a time-consuming task.

..Shortening the time for investigation may well increase the likelihood of errors being made in the response.

It is tricky. How much time to spend on investigating who was attacking you, while there is a pressure and need to respond as soon as possible (in case of offensive policy)? Is the level of error not too high to conduct this kind of policy?

==> Another aspect is ethics. It has been discussed widely that counter-attacks might have unexpected collateral damage. This was also pointed out in the overarching findings (nr 5). It is stated that indirect consequences might even outweigh the direct consequences. If it is questionable what the side-effects are of a cyber attack, it might not be worth-wile to proceed.

There is a wide range of aspects that need consideration when discussing pro/con offensive policy, however, for now I will leave this out here for all of us to think about it.

Posted by Annemiek Moraal at 11:24 AM | Permalink | Comments (0) | TrackBacks (0)