Re: [PLUG] Article on 'cyberwarfare'

[Rich Freeman <r-plug@thefreemanclan.net>]

On Sun, Feb 1, 2015 at 9:36 AM, Paul Walker <starsinmypockets@gmail.com> wrote:
> I posted the article to try and prompt a conversation, but the conversation
> that ensued seems to address a different topic - not so much the idea of war
> taking place on the internet.  Instead we seem to be discussing the idea of
> crime on the internet.

Obviously they're related in that the only real difference is one of
scale and who the actors are.

I think one of the core issue is that internet-connected systems are
becoming increasingly more important to the overall economy, but the
political/legal climate hasn't really involved.  If a state actor blew
up the Sony Headquarters with dynamite, we'd be bombing them.  If they
destroy the majority of their market value via computer intrusion, we
consider it a diplomatic matter at best.

Stronger enforcement of laws and firewalling at the national level
when this is not agreed upon would probably help with the computer
crime element.  It might not be as helpful for dealing with
cyber-warfare.  A country might agree to enforce laws against computer
crime and follow through, but then if we went to war with them they
might launch a crippling attack without warning, and perhaps companies
would lower their guard due to the more peaceful climate online
overall and be more susceptible to attack.  Even cutting off a
country's network access is going to be of limited use when it is easy
to use wireless telecommunications/etc to get around national borders.

I don't think that improved corporate security is much of a solution
either.  Any software of any complexity is bound to have unknown
critical vulnerabilities.  Anybody who is determined can probably find
those vulnerabilities and exploit them.  Security by obscurity would
probably protect you from mass attacks, but it would probably also
make you more vulnerable to targeted attacks.  When you're talking
about national actors you can't just deploy all the published security
updates and assume you're safe.  Anybody mounting cyber-attacks for
military purposes is going to be hiring people just as talented as
anybody you know, and they're going to be paid to do nothing but crack
servers/routers/printers/you-name-its 40 hours per week, with support
on the applications, OS, hardware, etc side, and no risk of punishment
whatsoever for the consequences of their activities.

Honestly, I think the only real defense is to air-gap anything that is
critical to national defense or basic infrastructure (power, water,
etc).  As we've seen with Stuxnet that isn't a perfect layer of
security, but it is obviously far better than just having everything
online.  Infrastructure also tends to be run by companies that aren't
subject to free-market competition, so regulators could require them
to provide that security and ensure they are compensated for it.

The other side of all of this is that security is rarely rewarded by
the market.  Would you pay more to buy stuff in the store if the store
went through some kind of certification process to demonstrate that
they're less likely to lose your credit card info?  In theory they all
go through PCI/etc anyway, and when you're talking state actors what
assurance could certification even provide.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug