Pentagon: cyber-attacks an act of war

Today’s Wall Street Journal reports that the Pentagon will say that cyberattacks from foreign countries are acts of war. As someone in the business I have a few questions.

First, with botnets being widespread within the United States, how will the Pentagon determine with sufficient reliability that an attack will have been originated from outside the U.S?

How will they determine that the attack would have been originated by a foreign government? This is a difficult distinction to make. By way of example, some time ago, Cambridge researchers uncovered an attack originating from China on The Office of His Holiness the Dalai Lama in California. Was the government of China responsible? Maybe. Is it not more likely we would see asymmetric attacks?

Just because you believe a government has committed an act of war, does it mean one goes to war? In the U.S. that power is reserved. Only Congress can declare war. However, in practice, it is the president who initially engages in armed conflict.

Once at war, how would we respond? Clausewitz and Sun Tsu tell us that one only goes to war to effect a change, and with the confidence to win. Would we therefore bomb to the stone age attackers?

I would like to believe that before we make any firm statements that we have clear answers to the above questions, lest a cyber Casus Belli lead to a repeat of Viet Nam or Iraq.

Our Supposed Healthcare System

Let’s do a brief comparison of the U.S. to the civilized world, when it comes to healthcare insurance and what actually happens when a child is born. In Switzerland, when a child is born, both the mother and the child may stay up to five days in the hospital. For even the slightest complication that time gets extended for both.

In the U.S., an insured mother and her child are entitled two days. If there is a problem with one, as was the case with my new niece (she was jaundiced and required an extra day), she is separated from the mother, who in this case herself spent the night in the hospital lobby so that she could nurse her newborn daughter, three days after having given birth.

Which would you want for your wife, sister, or daughter? U.S. or civilized? If you answered “civilized”, then you get to answer another question: who are the people who should supervise our profit-oriented health insurance industry, and where are they? I personally would like to know. By the way, here in Switzerland my family and I pay less than most Americans our ages for healthcare, and we’ve not been turned down for anything we needed (in fact we’ve never even had an argument about it). Now- does that change your answer?

A New Role For Eliot

As many of you know I have a long history within the Internet Engineering Task Force (IETF), having been involved since 1989. The IETF is responsible for many of the underlying protocols that computers use to talk with one another for purposes such as Email and the Web. I have served as the chair of two working groups, a research group, and have written numerous drafts and requests for comments.

As of late I have been involved with the International Telecommunications Union (ITU). The ITU is a U.N. organization whose origins date back to at least 1869, long prior to forming of the U.N. The ITU has developed numerous data communication standards, including X.509, which is what web encryption uses, as well as many of the codecs that are used on the network to transmit voice and video.

Last May I was able to join the United States delegation to the World Telecommunications Development Conference (WTDC) in Hyderabad India. Now I have been asked to serve as the Internet Architecture Board liaison to the ITU-T. My role will be first and foremost to see that liaisons (messages between the organizations) are properly handled by the IAB and IETF. I will advise the IAB and IETF on how the ITU-T functions, and the context around particular liaison statements. Occasionally I will assist in drafting liaison statements.

These organizations operate quite differently. The IETF is driven by individual participation, where people needn’t even attend meetings to participate in decisions. The ITU-T is an intergovernmental organization in which only governments may make decisions, although others may advise.

This is an important role at an important time, because when these two organizations do not cooperate at some level, they end up duplicating and competing with each other’s work. That can lead to more expensive products or products that do not work well together.

Android Phones the next security threat?

Take it as an axiom that older software is less secure. It’s not always true, but if the code wasn’t mature at the time of its release- meaning it hasn’t been fielded for years upon years- it’s certain to be true. In an article in PC Magazine, Sara Yin finds that only 0.4% of Android users have up to date software, as compared to the iPhone where 90% of users have their phones up to date.

This represents a serious threat to cybersecurity, and it should have been a lesson that was already learned. Friend and researcher Stefan Frei has already examined in great detail update rates for browsers, a primary vessel for attacks. The irony here is that the winning model he exposed was that of Google’s Chrome.

What then was the failure with Android? According to the PC Magazine article, the logic lies with who is responsible for updating software. Apple take sole responsibility for the iPhone’s software. There are a few parameters that the service provider can set, but other than that they’re hands off. Google, however, provides the software to mobile providers, and it is those mobile providers who must then update the phone. Guess which model is more secure? Having SPs in the loop makes the Internet more insecure. Google needs to reconsider their distribution model.

CNN: Lawymakers rethinking (their) security

CNN reports that in the aftermath of the Tucson shooting, House and Senate leaders are considering additional security for their members. That’s all fine and dandy, but my simple question is this:

What about the rest of us?

This guy went in and legally bought a 9mm Glock with ammo, even though his friends and schools knew he was a little nutty. All of the dead people weren’t in Congress. They were collateral damage. What about them? The first person who says that a nine year old should be defending herself from a Glock gets a Bronx Cheer.