Should the US Go Offensive In Cyberwarfare?

The NYTimes has a piece analyzing the policy discussions in the US around the question of what should be the proper stance towards offensive cyberwarfare. This is a question that the Bush administration wrestled with, before deciding that the outgoing president didn't have the political capital left to grapple with it. The article notes two instances in which President Bush approved the use of offensive cyberattacks; but these were exceptions, and the formation of a general policy was left to the Obama administration. "Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare. Over the decades, a number of limits on action have been accepted — if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker's power grid if that would also shut down its hospital systems, its air traffic control system, or its banking system?"

Re:Offensive?

[auric_dude]

Blackwater Worldwide & Blackwater USA now called Xe http://en.wikipedia.org/wiki/Xe_(Company)

Re:Abso-freakin'-lutely!

[tukang]

Yes, you have a point about our standard of living but it's not only our standard of living that has caused this problem, it's also the deterioration of the quality of k-12 education in the US - especially in math.

When I did my undergrad, more often than not, kids who didn't know standard mathematical identities, were Americans. I don't see how someone who doesn't understand logs and exponents inside out can do well in a (respectable) comp sci program. Why should US companies hire mediocre US comp sci students when they can hire higher quality students overseas at a cheaper price?

Re:Offensive?

[jc42]

1. What makes you think they don't already have a backdoor into every copy of Windows shipped?

In effect, this has been freely admitted by Microsoft, and we've discussed it several times here on slashdot. It came up a month or so back in a story about someone who found that, even with all the automatic update stuff turned off, some "system" updates happen in Vista anyway. Turning off all the auto-update stuff doesn't stop these updates from happening. In the discussion, it has come out that this has been true since at least the early releases of XP.

In various security-related forums, it has been pointed out that this "feature" is a classical backdoor. It allows anyone with the right connections inside Microsoft to get their software installed in any machine via the automatic update mechanism. If you think that the security folks in various government agencies (in the US and other countries) don't know about this, you're rather naive. After all, it has been discussed here and in several other public net forums.

This is also a good thing to bring up when someone makes the claim that all other OSs are just as vulnerable as MS Windows. With linux and the *BSDs, we have the source available (and we can compile them ourselves if we like), so we can (and do) examine the code for such things. We can be reasonably sure that, when backdoors have been slipped into these open-source systems (and it has happened), the fact has become public very quickly and there were fixes available. With MS Windows, we don't have the source (though some agencies in the US and PRC governments have it), so we can't examine the code or recompile it. And when the stories come out about the automatic downloading of new software by Windows, Microsoft isn't even apologetic. Those backdoors are there intentionally; they're not going away; you and I have no defense against them.

Except to not use Microsoft products, of course.

(Actually, it has been pointed out that you can make MS Windows secure, but one of the requirements is that you never connect it to any kind of network. This includes removing hardware such as wifi, bluetooth, IR, USB, etc. devices ;-)