In light of the newly reported attacks on U.S. government Web sites delivered via targeted DDoS campaigns, a lot is being written and said about the notion of cyber-war and what that very concept encompasses.
Obviously, long before the rise of the Internet and today’s global online environment, government entities – specifically in the intelligence and military realms – were already attempting to get their hands on adversaries’ computing technologies and the national secrets handled by those systems.
Sometimes it’s easy to forget how much of the initial research and development that went into many of these IT assets was actually driven by national intelligence and defense interests, and funding.
However, within the parameters of today’s interconnected society and with our dependence on electronic infrastructure, the opportunity for actions taken over these systems to represent truly warlike behavior has never been more legitimate.
In recent years, acts of so-called “hacktivism” in Eastern Europe tied to political interests have effectively crippled government Web sites and networks. CIA officials have confirmed cyber-attacks on foreign nations through which critical national infrastructures have been successfully targeted.
Meanwhile, the FBI reported that over 100 individual nations have already developed some form of cyber-military capability
The truth is we still don’t know who carried out this recent set of DDoS attacks that forced interruptions of sites at the U.S. State, Transportation and Treasury Departments, as well as the Secret Service and Federal Trade Commission, or what their intention was. We may never know.
But regardless of the fact that precise attribution, especially in the first moments of attack, will likely always be a challenge, we simply must be better prepared for cyber-war conditions in general.
The recent DDoS campaign may have been the work of non-state actors seeking merely to flex their hacking muscles or it could have been an organized military exercise aimed at testing electronic strike capabilities – the U.S. government’s state of situational awareness to such cyber-attacks and ability to deflect and respond to the campaigns must be improved in either scenario.
I’d argue that the best way to do so is by performing more aggressive Red Team penetration testing and Blue Team remediation to address the nation’s most pressing IT vulnerabilities, and to help private sector organizations serving in critical infrastructure sectors do the same.
The creation of the White House Cybersecurity Coordinator highlights the recognition on the part of the President and Secretary of Defense that we need to stand up our capabilities, and one of the primary issues currently being grappled with by the Cyber-Command is what the nation’s cyber-security doctrine should be.
This week’s attacks emphasize the need for leading federal agencies to create more specific operational plans defining what types of cyber-attacks constitute an act of war, and what actions should be taken in response. There should be clear boundaries regarding what actions may constitute an act of war and the necessary policies, plans, and processes must be in place to address such situations.
The impact of the most recent denial of service campaign, which just happened to begin on July 4, may be overhyped at this point, but it demonstrated the reactive nature of our government and corporations and showed our adversaries that we’re behind the eight ball.
For starters, web hosting providers used by the government and other critical infrastructures must be monitored more closely and required to address DDOS mitigation. A mentor of mine advised me that the real solution to the DDoS problem will be found in the type of technical architecture and processes that get put into place.
He said that if web hosts don't leverage basic layer-7 switching for load distribution, fail to embrace bandwidth-on-demand for DDoS mitigation or to leverage diverse routes through multiple ISPs – and won't add other security features – then the same thing will happen again.
He also reminded me that next time it may not just be web services that are affected as these campaigns could impact all of the electronic services being consolidated by the organizations that are being attacked.
And that’s not just hype.
-Tom Kellermann, Vice President of Security Awareness