Pentagon: cyber-attacks an act of war

Today’s Wall Street Journal reports that the Pentagon will say that cyberattacks from foreign countries are acts of war. As someone in the business I have a few questions.

First, with botnets being widespread within the United States, how will the Pentagon determine with sufficient reliability that an attack will have been originated from outside the U.S?

How will they determine that the attack would have been originated by a foreign government? This is a difficult distinction to make. By way of example, some time ago, Cambridge researchers uncovered an attack originating from China on The Office of His Holiness the Dalai Lama in California. Was the government of China responsible? Maybe. Is it not more likely we would see asymmetric attacks?

Just because you believe a government has committed an act of war, does it mean one goes to war? In the U.S. that power is reserved. Only Congress can declare war. However, in practice, it is the president who initially engages in armed conflict.

Once at war, how would we respond? Clausewitz and Sun Tsu tell us that one only goes to war to effect a change, and with the confidence to win. Would we therefore bomb to the stone age attackers?

I would like to believe that before we make any firm statements that we have clear answers to the above questions, lest a cyber Casus Belli lead to a repeat of Viet Nam or Iraq.

Android Phones the next security threat?

Take it as an axiom that older software is less secure. It’s not always true, but if the code wasn’t mature at the time of its release- meaning it hasn’t been fielded for years upon years- it’s certain to be true. In an article in PC Magazine, Sara Yin finds that only 0.4% of Android users have up to date software, as compared to the iPhone where 90% of users have their phones up to date.

This represents a serious threat to cybersecurity, and it should have been a lesson that was already learned. Friend and researcher Stefan Frei has already examined in great detail update rates for browsers, a primary vessel for attacks. The irony here is that the winning model he exposed was that of Google’s Chrome.

What then was the failure with Android? According to the PC Magazine article, the logic lies with who is responsible for updating software. Apple take sole responsibility for the iPhone’s software. There are a few parameters that the service provider can set, but other than that they’re hands off. Google, however, provides the software to mobile providers, and it is those mobile providers who must then update the phone. Guess which model is more secure? Having SPs in the loop makes the Internet more insecure. Google needs to reconsider their distribution model.

CNN: Lawymakers rethinking (their) security

CNN reports that in the aftermath of the Tucson shooting, House and Senate leaders are considering additional security for their members. That’s all fine and dandy, but my simple question is this:

What about the rest of us?

This guy went in and legally bought a 9mm Glock with ammo, even though his friends and schools knew he was a little nutty. All of the dead people weren’t in Congress. They were collateral damage. What about them? The first person who says that a nine year old should be defending herself from a Glock gets a Bronx Cheer.

Is there really anything surprising about the diplomatic cable leaks?

Is the U.S. going after Julian Assange, founder of WikiLEAKS, by leaning on our British and Swedish friends? It is too soon to tell, but as recent history demonstrates, we will eventually know the truth. The New York Times and many other news outlets have been reporting on both the content and the legality of the release of over 250,000 U.S. government diplomatic cables. Meanwhile, Julian Assange sits in a UK jail, awaiting a bail hearing relating to an extradition request by Sweden where two women have separately accused him of sexual assault.

My real question: does anyone really find any of the information that has been released all that surprising? It shows to me a diplomatic core largely doing its job, collecting information, feeding it to their superiors for further analysis, and taking instructions. Is anyone really surprised that Saudi Arabia isn’t getting along with Iran, or that the administration has a low opinion of Vladamir Putin?

Sometimes an airing of dirty laundry has positive consequences. Perhaps other countries will think about standing up to Iran more than they have been. Perhaps Russians will reconsider their views of Vladamir Putin. Perhaps the U.S. will consider not providing a lowly private so much unaudited access to information that assuredly isn’t relevant to his job. Certainly the late night shows needed fresh material!

Hello Insecurity, Goodbye Privacy. Thank you, President Obama

Some people say that Internet Security is an oxymoron, because we hear so much about the different ways in which hackers and criminals break into our data, steal our identities, and even use information to commit “real world” crimes like burglary, when it becomes clear that someone’s gone on vacation. Well now the Obama Administration along with the FBI and NSA are proposing to make things worse, according to an article in today’s New York Times.

According to the Times, the government is going to propose requiring that developers give up on one of the key principals of securing information– use of end to end encryption, the argument being that law enforcement does not have the visibility to information they once had, say, in the Nixon era, where the NSA acted as a vacuum cleaner and had access to anything.

As our friend Professor Steve Bellovin points out, weakening security of the Internet for law enforcement also weakens it for benefit of criminals. Not a month ago, for instance, David Barksdale was fired from Google for violating the privacy of teenagers. He could do that because communications between them were not encrypted end-to-end. (Yes, Google did the right thing by firing the slime).

This isn’t the first time that the government has wanted the keys to all the castles, since the invention of public key cryptography. Some of us remember the Clipper chip and a government-mandated key escrow system that the Clinton Administration wanted to mandate in the name of law enforcement. A wise friend of mine said, and this applies equally now, “No matter how many people stand between me and the escrow, there exists a value of money for me to buy them off.” The same would be true here, only it would be worse, because in this case, the government seems not to be proposing a uniform technical mechanism.

What’s worse– this mandate will impact only law abiding citizens and not criminals, as the criminals will encrypt data anyway on top of whatever service they use.

What you can do: call your congressman now, and find out where she or he stands. If they’re in favor of such intrusive policy, vote them out.