The denial of service attacks now afflicting American banks are widely attributed to Iran. They’ve grown so serious that US banks have asked the National Security Agency for help.
That has provoked the usual response from privacy advocates. Faced with a serious threat to the security of our online banking accounts, they are happy to tell us who we should really be worried about: “’The dual mission of the NSA, to promote security and to pursue surveillance, creates an intractable privacy problem,’ said Marc Rotenberg, executive director of the Electronic Privacy Information Center.”
I’m more interested in the actual, uh, attacker. Assuming it’s Iran, as I do, what do these attacks mean? One thing is sure, they’re the opposite of the cyber Pearl Harbor everyone’s talked about. Unless Adm. Yamamoto called up the Navy on December 7, 1941, and said, “We’ll be attacking Pearl Harbor for an hour and then the Philippines for an hour, but only on Tuesdays, Wednesdays, and Thursdays.” Because that’s pretty much how the bank attacks are going – short duration, scheduled disruptions.
That raises a couple of questions. First, why would a country launch such a limited attack? It could be a demonstration designed to show capability without actually provoking a response -- sort of like sending an aircraft carrier to a trouble spot but staying in international waters. Indeed, some of the details of these DDOS attacks do show surprising sophistication, and there’s no doubt the actual impact of the attacks could be greatly ramped up if the attacker wanted to. Second, if that’s the case, the best response would be to demonstrate that our defense can counter the attacker’s offense – sort of like surfacing an undetected submarine alongside the carrier.
So, how are we doing at showing our defensive strength? Not so good, I’m afraid. The attacks persist, and we don’t seem to have a simple way to nullify them. That’s pretty troubling from a security point of view, particularly if you believe as I do that denial of service attacks are the least dangerous form of cyberattack. If we can’t defend against scheduled, short-duration, denial of service attacks, our vulnerability to other attacks is even more worrisome.
Which brings me to a third point: If these are Iranian attacks, Iran is probably doing us a favor. It’s teaching us some important lessons, exposing the weakness of our defenses in dramatic form without actually destroying any infrastructure or causing serious harm. It’s also revealing the weird priorities of the privacy groups, which seem to hate parts of our government more than Iran’s, even when they’re faced with an actual Iranian attack. And it’s giving us a kind of live-fire exercise in which to practice our cyberdefenses until we find something that works. With enough time, maybe we’ll find a way to get our planes in the air, our ships out to sea, and our anti-aircraft guns unlimbered before a second wave of planes appears in the sky.
Stewart:
As usual very well done. I didn't realize you were so conversant with WW II or military tactics.
You didn't address the possiblity that we aren't using our best defensive or offensive capabilities either to hold something in reserve until we really need it or to inflict disproportionate damage to the attacker at a time of our choosing.
Marc's point isn't entirely frivolous but is not exactly novel. The tension between NSA's intelligence collection and information system security missions has been recognized and widely discussed for at least the past 35 years. Rather than bemoaning the obvious it would be more useful for Marc and his colleagues to recommend policies that would maximize US capabilities to protect its networks while minimizing the risks posed by NSA's dual missions.
Posted by: Michael Smith | Jan 12, 2013 at 09:45 PM