CYBER-TERRORISM: WHEN WILL WE FIGHT BACK? By Michael S. Malone
When does a cyber-attack by another nation cross the line and become an official act of war?
I suspect that I wasn’t the only person who asked himself that question this week – and I hope that some of those people were at the highest levels of the federal government.
As I’m sure you read, or saw on the news, beginning on the fourth of July and continuing well into the week, government and private company websites in the United States and South Korea were attacked by unidentified hackers who try to crash them. Target institutions in the U.S. included the Departments of Transportation, State and Treasury, the White House (reportedly), the New York Stock Exchange, Yahoo and the Federal Trade Commission.
The type of attack was a so-called “distributed denial of service”, a classic hack that attempts to overwhelm targeted sites with massive amounts of data – and thus freezes out access by anyone else. In this case, the vehicle appears to have been a well-known software “worm” that was reprogrammed – and not particularly well, it seems – for the task. Still, for all of its crudeness, the attack did work; in the U.S. some sites were down for as much as 24 hours, in South Korea, some are still crashed.
Intelligence services in both countries have traced the attack to North Korea, but refuse to place the blame any more precisely. Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity Black Hole called the People’s Republic of North Korea spontaneously decided to hack the websites of another country’s government and largest corporations.
We all know why Washington (and to a lesser degree, Seoul) doesn’t want to point fingers. After all, once you fix blame for an act of aggression, you’re then supposed to do something about it. And, the reasoning goes, you don’t want to make Pyongyang angry because those guys are crrrrrraaaaazzzzzy. They could do anything, like maybe aim twice as many missiles at Hawaii next time, or put two freighters filled with weapons to sea.
So, instead, we resort to our usual response to these kinds of cyberattacks: we blame ourselves. And that’s why, right on schedule, the Feds, security experts, and bloggers all shook their heads in dismay and in unison decried the obvious failure of our security programs to protect our vital on-line information. Once again, we sat back, waited for another attack – and when it succeeded, at least partially, we wrung our hands and asked why we can’t defend ourselves better.
I think the real question we should be asking ourselves is: Why do continue to see defense as our only option? After all, if there is one thing every cop and security expert knows, it is that given enough time a burglar can break into any home, no matter how tightly locked, and a robber can crack any safe, no matter how elaborate. So, why have we convinced ourselves that our online property can remain safe behind an electronic Maginot Line, no matter how tall and thick?
As you may have guessed by now, I’m not a fan of hacking. And I never have been – not even in the romantic old days of clever young programmers taking on Big Computing. One reason was that, having grown up with these folks in Silicon Valley, I saw them less as juvenile Robin Hoods liberating the computer world from oppression, and more just a bunch of arrogant gearheads who wanted to show they were smarter than their more successful mainstream peers.
Just as important, I’ve always been haunted by secondary consequences of hacking – something apparently lost on the perpetrators. When I read about a virus or worm crashing millions of computers and processors, I remind myself that some of those devices are embedded within or wired to things like fetal monitoring systems, surgical equipment, robotic bomb demolition equipment . . .and ICBMs. Have any hacks of the past killed babies or other vulnerable people? Will they? Do hackers even care – or do they like the idea that they have the power to not only cripple major institutions, but even kill by proxy?
Finally, my time as an investigative reporter proved to me that today’s clever new hack by some brilliant, resentful kid in his parent’s basement is tomorrow’s weapon of choice for some really nasty people around the world: mobsters, child pornographers, totalitarian regimes, enemies of freedom everywhere. Is anyone surprised that a “group or state” – cough, cough *north korea* — this time used a repurposed piece of old malware, no doubt developed by some U.S. hacker a decade ago, against us?
The awful irony to all of this is that, having spent a generation now figuratively patting hackers on the heads for their crimes and telling them not to do it again, we seemed to have put ourselves into the trap of treating all such assaults as a form of victimless crime, a kind of practical joke perpetrated by people with more brains than sense. Sure, we send one or two to prison for a while, but we’re more likely to hire a successful hacker to help us fight the next generation of his ilk . . .once more, taking a defensive posture.
And this is what that attitude has earned us. One of the most interesting bits of news to come out of the coverage of this cyber-attack was the fact that, according to the Department of Homeland Security, the rate of online security breaches on government and private institutions in this country is skyrocketing: 72,000 last year, double the number of the year before. Meanwhile, the occasional story will bubble up in the mainstream media about the Chinese government sponsoring teams of hackers to probe our defenses. Similar stories have appeared about terrorist groups in the Middle East. And we know that the Iranian government, during the recent protests, went to great lengths to shut down outside coverage in form of blogs, tweets and YouTube videos.
At what point do we decide that such assaults on our sovereignty, our institutions and our fellow citizens are unacceptable? When do we get out of our defensive crouch and actively go after governments that are attacking us through cyberspace? After a Web Pearl Harbor catches us by surprise and crashes our financial markets or kills thousands of people trapped in computer controlled transportation systems run amok, or a darkened city trapped in a blizzard or heat wave, or babies in microprocessor controlled incubators? And long before then, why can’t we respond to such an attack by a foreign government not with bombs or missiles, but crashing that country’s digital infrastructure?
Or will we decide once again that the fault was our own, that the perpetrators can’t be identified anyway, and that what we really need are more robust cyber-security systems – and pray that the next attack doesn’t kill us too?