• Dana Epp

Rules of Engagement for Information Warfare

Updated: Mar 16, 2018

Should retaliate in cyberspace? Gene Burrus, Assistant General Counsel at Microsoft doesn't believe so. And I think I am with him, unlike some infosec pros in the field.

Drawing on the lawful military doctrine of necessity and proportionality, many infosec professionals believe we have the right to counter-strike hostile intent with the subsequent use of force in self-defense.

In other words, when hostile intent such as a DoS flood begins to attack you, they believe that you have the right to attack them through the escalation of response. (Think DEFCON for the Internet) Although this may seem like immediate and proper response to some, this is flawed. Let me explain why.

In the physical world, history has shown that the necessity and proportionality of response has been riddled with erroneous decisions which have potentially done more damage than good. Escalating DEFCON levels have brought our world to the brink of a nuclear war on various occasions during the cold war because of such actions. Rules, roles and responsibilities have kept intelligence agencies in check as they balance off response with GOOD intelligence... sifting through potentially covert actions from third parties and building a complete threat analysis before attacking. Even this fails... as we have seen in the case of erroneous intelligence that triggered the US to invade Iraq. (I will side step the political minefield here and assume for a moment that the President of the Unites States acted in good faith... we can deal with conspiracy theories later).

Now lets come back from that tangent and reflect on such actions in the digital world. The underlying protocols used to control the Internet were never originally designed to deal with non-repudiation, nor were they ever designed to guarantee upper layer authenticity. In other words, it is quite easy to spoof a target at every layer of the OSI stack, providing multiple attack vectors to any data stream. Based on the probable level of threat, they believe the use of a scale of force to block hostile acts - or degrade the network quality of service for indeterminate acts can be the first steps in analysis of the target... allowing for reflection with a final 'return fire' action to counterstrike the hostile source.

In my opinion the idea is noble, but the implementation is flawed. The use of such escalation tactics with such aggressive counter-strike capabilities in cyberspace has the added risk of failure in automated determination, which will allow attackers to more easily launch strikes covertly against their real intended targets. There is a REASON why in the physical world there is a need for two separate keys and a authenticity launch code for nuclear weapons on submarines. It is to prevent such actions. No such safeguards have been proposed during even the first stage of hostile source analysis. Attribution sucks. Immediately upon responding to a threat by degrading any sort of service past your own ownership boundaries, you are breaching the remote hosts network, making you no better than the hostile source.

Let me see if I can clear that up. In many cases attacks are launched by zombie platforms, 'owned' remote machines allowing the attacker to not only mask their original location, but also their original intent. It is not uncommon for an attack vector to come through vulnerable and exploited systems that reside on home computers or unpatches remote desktops like those used by roaming users. But here is the problem. Both ends go through networks YOU don't own. When you counterstrike "grandma's" computer", you are also affecting grandma's ISP. And all routes in between. You now are part of the problem, not part of the solution.

But it gets worse. What happens if both endpoint providers use a scale of force to engage in defense/counter-defense? Arming procedures for the escalation of response could go from non-destructive to destructive and non-recoverable actions in mere moments. Without human response... or with human response of those in an operation center that truly don't know of the threats that they are really susceptible to.

The idea is noble, and I too would like to attack the bastards that attack me. However, you cannot guarantee that the proper target is 'in your sights'. It seems that some infosec pros believe that human interaction is required in the operation center to analyze and escalate response. This would HAVE to be essential... because if you automate it... you will be building the biggest 'cyberweapon' launch pad the Internet has ever seen.

Yet the weakest link in security is the human factor. Checks and balances have to be in place to ensure that there is no misconfiguration... or hostile intent by the person(s) working with the system. The last thing you need is a person that escalates a response against his 'former employer' in a retaliatory strike. Who is going to monitor the monitors? This is a vicious circle.

For me.... this counter-strike approach is ethically wrong. (And in many jurisdictions legally wrong as well) There is no evidence that this is a more effective way to deal with the current threats we are exposed to, and there is quite a bit of historical precedence that indicates it is totally counterproductive. On top of that, its this type of "whitehat" tool which would be turned around and be used by the "blackhat" community as another attack platform. The last thing we need is another commercial product that is specifically designed to attack other systems.

But... that is just my opinion. And I am biased. I write digital defensive tools for a living. You would think I would welcome this... since it would increase my business *lol* But I don't.

And nor should you.