Security Blog

No more than a week after the Pentagon's military threats in the event of a cyber attack, the U.S. receives its first test of might.

Paul Sand, Vice President, IP3 Inc., offered this statement:
“Last week, IP3 assessed the Pentagon’s decision to consider a cyber attack as an act of war. We clearly determined that there was no strong strategic or tactical benefit for doing so. Apparently, a cyber attack on the Atlanta InfraGard Chapter was launched in retaliation for the Pentagon’s aggressive stance.  Taking action that raises your profile without any clear benefit is usually a bad move.”

I'm sure most of you have heard the ancient Japanese proverb, "The nail that sticks out gets hammered down." The U.S. government may have just targeted themselves as that very nail. By introducing such a strong statement, we have invited other less agreeable entities to test our claims of military force.

Another phrase that comes to mind is the African proverb "Speak softly and carry a big stick." Which was popularized by Theodore Roosevelt in his Big Stick ideology regarding peaceful negotiations backed by the threat of military force. So what happens when that threat of force is tested? Is it truly customary to take out the big stick and start swinging? This will be the true test of something I will call "cyberwar policy." 

Cyber policies will soon become a very hot topic in lieu of recent events. One event being the government controlled network outages that began in Egypt, which now seem to be trending seeing as the Nigerian government has done the same. This caused questioning in the U.S. which led to the introduction of "kill switch" litigation now being passed throughout Congress. A second event was the Pentagon's consideration of cyber attacks as acts of war. 

These recent events have begun to outline rules of cyberwar. There are many questions to be asked and much policy to be drawn up regarding these and future events. One thing is certain, our representatives had better get a handle on this policy soon before things get out of control.

The U.S. government, in statements by the Pentagon, now classifies cyber attacks on our nations infrastructure as acts of war and is implementing a strategy which will allow for military retaliation in the event of a cyber attack on the U.S.

Paul Sand, Vice President, IP3 Inc. says: 

"Declaring cyber attacks as acts of war is an unnecessary escalation. While I imagine that the Pentagon is striving to achieve a deterrence effect, traditional military retaliation to a cyber attack faces some big challenges. First and foremost, attribution is a problem.  Attribution is assigning responsibility for the attack to the appropriate party.  With spoofing and masquerading exploits so readily available and easy to use, an attacker will be hard to identify and may just be aiming to trigger retaliation against a third party. So, retaliation is a  path filled with significant chances for profound mistakes."

This statement by Paul Sand is understandable considering most cyberattacks and hacking incidents are not formulated by a governing body. They are generally run by a small group of rouge individuals acting independent of any government. Take for instance the group "Anonymous", which is nothing more than a large informal collection of hackers spanning across various continents. How will a target be decided in the event of an attack from multiple locations? Also keep in mind that most hackers are still in their teens. Are we to expect our government to discharge nuclear weapons on an innocent country because some adolescent hacked into one of our government sites from a computer in his basement?

Paul Sand continues:

"Further, cyber attacks that are “war-like” are not likely to be independent attacks.  The 2011 OECD report “Reducing Systemic Cybersecurity Risk” lays out a strong argument that cyber attacks will be coincident with conventional “kinetic” military actions. In that event, this new doctrine of response to the cyber attack is not necessary … existing doctrine governing the response to the kinetic attack will be sufficient and is much less susceptible to problems with accurately attributing the act to the true attacker."

"All in all, the Pentagon has not made the cyber world any safer by concluding that cyber attacks are an act of war."

In other news:

Lockheed Martin has acknowledged a significant cyberattack on their infrastructure. Evidence has surfaced linking this attack to the recent hack of RSA and the theft of RSAs SecureID authentication tokens. These tokens were used in an attack on Lockheed Martin in an attempt to obtain sensitive information from the security and defense company. Luckily Lockheed was able to thwart the attack very quickly after it propagated on their systems and assures everyone that no data was stolen. 

This attack on Lockheed Martin arrives on the landscape with an abundance of other cyberattacks including those on broadcaster PBS, EMC Corp.'s RSA security unit, Epsilon Data Management, LLC, and Sony Corp.'s PlayStation Network.

Todays networks are erupting with cyberattacks and cyberwarfare and governing bodies are struggling to keep a hold on their authority. Though the litigation is still unclear, the message should be clear to hackers. You've been warned! The next time you press enter and launch that malicious code, you could end up with a USAF B-52 Bomber over your head.