Today’s Wall Street Journal reports that the Pentagon will say that cyberattacks from foreign countries are acts of war. As someone in the business I have a few questions.
First, with botnets being widespread within the United States, how will the Pentagon determine with sufficient reliability that an attack will have been originated from outside the U.S?
How will they determine that the attack would have been originated by a foreign government? This is a difficult distinction to make. By way of example, some time ago, Cambridge researchers uncovered an attack originating from China on The Office of His Holiness the Dalai Lama in California. Was the government of China responsible? Maybe. Is it not more likely we would see asymmetric attacks?
Just because you believe a government has committed an act of war, does it mean one goes to war? In the U.S. that power is reserved. Only Congress can declare war. However, in practice, it is the president who initially engages in armed conflict.
Once at war, how would we respond? Clausewitz and Sun Tsu tell us that one only goes to war to effect a change, and with the confidence to win. Would we therefore bomb to the stone age attackers?
I would like to believe that before we make any firm statements that we have clear answers to the above questions, lest a cyber Casus Belli lead to a repeat of Viet Nam or Iraq.
Re “how do they know where it came from” – that’s what attack attribution is about. There are four levels of attack attribution – what machine (bot) sent it, what machine is in control of the bot, who (person) is in control of the controller, and who (person) paid him/her. There are some folks who spend quite a bit of time and thought on third and fourth level attack attribution, and it is more art than science. Currently, mostly classified stuff. Maybe you saw Stefan Savage’s blog last week, he ran an experiment with spam – “what happens if you set up a dummy person who actually buys stuff advertised using spam?”. The result was that he spent about $4000 on various products (Viagra etc) and most of it actually came in the mail. He then tracked the payments and was able to determine what banks were being used, which is a step toward finding what company one is actually buying from. The obvious next step is to isolate the company, figure out what law they are violating (selling drugs without a prescription?) and what jurisdiction is important, and then turn it over to law enforcement. One wonders if similar approaches would be useful with attacks.