Should the US Go Offensive In Cyberwarfare?

← Back to Stories (view on slashdot.org)

Should the US Go Offensive In Cyberwarfare?

Posted by kdawson on Tuesday April 28, 2009 @08:50AM from the mutually-assured-mayhem dept.

The NYTimes has a piece analyzing the policy discussions in the US around the question of what should be the proper stance towards offensive cyberwarfare. This is a question that the Bush administration wrestled with, before deciding that the outgoing president didn't have the political capital left to grapple with it. The article notes two instances in which President Bush approved the use of offensive cyberattacks; but these were exceptions, and the formation of a general policy was left to the Obama administration. "Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare. Over the decades, a number of limits on action have been accepted — if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker's power grid if that would also shut down its hospital systems, its air traffic control system, or its banking system?"

23 of 276 comments (clear)

Min score:

Reason:

Sort:

Offensive? by oahazmatt · 2009-04-28 08:52 · Score: 4, Funny

Why? Just contract /b/ to do all the dirty work for you.

It could be the Blackwater of Online Warfare.

--
Those who believe the Internet is private,
find their privates are on the Internet.
1. Re:Offensive? by emocomputerjock · 2009-04-28 08:56 · Score: 5, Funny
  
  Now if only you could figure out a way to convince them that they are your personal army.
2. Re:Offensive? by homain · 2009-04-28 09:08 · Score: 5, Funny
  
  promises of boxxy naked should do the trick
3. Re:Offensive? by auric_dude · 2009-04-28 10:23 · Score: 4, Informative
  
  Blackwater Worldwide & Blackwater USA now called Xe http://en.wikipedia.org/wiki/Xe_(Company)
4. Re:Offensive? by religious+freak · 2009-04-28 10:24 · Score: 5, Insightful
  
  I think it's naive to believe we're NOT on the offensive, though I've got to admit our nation's recent incompetence in dealing with IT (defunct air force initiative, losing engineering plans to the F35) gives me a little more doubt.
  
  But we INVENTED a lot of this stuff. What does the NSA do, exactly? Yeah, they intercept international communications and develop systems to do this, but is that really all they do... really?
  
  I sure as hell hope not...
  
  --
  If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
5. Re:Offensive? by jc42 · 2009-04-28 15:35 · Score: 4, Informative
  
  1. What makes you think they don't already have a backdoor into every copy of Windows shipped?
  In effect, this has been freely admitted by Microsoft, and we've discussed it several times here on slashdot. It came up a month or so back in a story about someone who found that, even with all the automatic update stuff turned off, some "system" updates happen in Vista anyway. Turning off all the auto-update stuff doesn't stop these updates from happening. In the discussion, it has come out that this has been true since at least the early releases of XP.
  In various security-related forums, it has been pointed out that this "feature" is a classical backdoor. It allows anyone with the right connections inside Microsoft to get their software installed in any machine via the automatic update mechanism. If you think that the security folks in various government agencies (in the US and other countries) don't know about this, you're rather naive. After all, it has been discussed here and in several other public net forums.
  This is also a good thing to bring up when someone makes the claim that all other OSs are just as vulnerable as MS Windows. With linux and the *BSDs, we have the source available (and we can compile them ourselves if we like), so we can (and do) examine the code for such things. We can be reasonably sure that, when backdoors have been slipped into these open-source systems (and it has happened), the fact has become public very quickly and there were fixes available. With MS Windows, we don't have the source (though some agencies in the US and PRC governments have it), so we can't examine the code or recompile it. And when the stories come out about the automatic downloading of new software by Windows, Microsoft isn't even apologetic. Those backdoors are there intentionally; they're not going away; you and I have no defense against them.
  Except to not use Microsoft products, of course.
  (Actually, it has been pointed out that you can make MS Windows secure, but one of the requirements is that you never connect it to any kind of network. This includes removing hardware such as wifi, bluetooth, IR, USB, etc. devices ;-)
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Abso-freakin'-lutely! by Smidge207 · 2009-04-28 08:53 · Score: 5, Interesting

Starting in 2002 we gave away our dominance in software technology to other nations. The policy of China was to subsidize tens of thousands of students studying in the computer sciences. In 2002 American companies subsidized this policy of China by shipping over American jobs so that Chinese students could gain the necessary and hard to obtain experience of working on real systems. American programming jobs were shipped to India, China, and Russia and subsidized these nations in their ability to build expertise in software technology.
Now very few American students are enrolled in the computer sciences departments of America to provide the expertize necessary for threats to American computer systems, while other nations have tens of thousands that can obtain all of the benefits of software technology. American students will not enroll in the computer sciences when the policy of America is simply to ship programming jobs overseas. Now many American systems are dependent upon offshore foreign programmers. There have already been incidents where offshore foreign workers were bribed to provide account information on bank customers.
The reality is that major American system may have already been compromised by bribes to offshore foreign workers to insert malicious code into the American systems where they have direct access. Hollywood movies show complex schemes and supposedly sophisticated attacks to access computer system when the reality is that you can simply walk in the front door with a bribe and have complete access. It is meaningless to protect these systems from attacks over the internet when they may already have been seriously compromised.
=Smidge=

--
Is it just my observation, or is eldavojohn an idiot?
1. Re:Abso-freakin'-lutely! by Red+Flayer · 2009-04-28 09:10 · Score: 5, Insightful
  
  American students will not enroll in the computer sciences when the policy of America is simply to ship programming jobs overseas.
  And yet that's not the policy of America. That's the policy of *some* American companies.
  
  Mostly because US workers are not worth what they cost to employ.
  
  The solution is not a phobic restriction on offshoring (protectionism), the solution is to bring domestic wages in line with offshore wages. Ideally this is done by increasing the global standard (and cost!) of living, but at some point we might just have to realize that our ridiculous wasteful standard of life is unsustainable if we want to compete economically with the rest of the world.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
2. Re:Abso-freakin'-lutely! by clarkkent09 · 2009-04-28 09:12 · Score: 4, Insightful
  
  the policy of America is simply to ship programming jobs overseas
  
  No it's not. The policy of America is to promote globalization and free trade which in the long run is thought (rightly or not) to be beneficial to the USA. If that's what you are doing then it does make it kinda hard to use legislation to stop American companies from doing what they want which is hiring labor where its cheapest. Either you are for protectionism in which case we will lose in the long run because US companies won't be able to compete, or you are for liberalization of trade (including labor) in which case US workers will have to compete for jobs on equal terms with Chinese, Indians etc
  
  --
  Negative moral value of force outweighs the positive value of good intentions.
3. Re:Abso-freakin'-lutely! by tukang · 2009-04-28 10:30 · Score: 4, Informative
  
  Yes, you have a point about our standard of living but it's not only our standard of living that has caused this problem, it's also the deterioration of the quality of k-12 education in the US - especially in math.
  When I did my undergrad, more often than not, kids who didn't know standard mathematical identities, were Americans. I don't see how someone who doesn't understand logs and exponents inside out can do well in a (respectable) comp sci program. Why should US companies hire mediocre US comp sci students when they can hire higher quality students overseas at a cheaper price?
4. Re:Abso-freakin'-lutely! by ClosedSource · 2009-04-28 10:37 · Score: 4, Interesting
  
  Yes, the jobs are right there in the careers section of the web site and as long as tech companies want to claim there's a shortage of qualified candidates, they'll remain there unfilled.
no brainer by Briden · 2009-04-28 08:54 · Score: 5, Insightful

If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker's power grid if that would also shut down its hospital systems, its air traffic control system, or its banking system?"
no.
putting vital systems on the Internet by viralMeme · 2009-04-28 08:57 · Score: 4, Funny

"If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker's power grid if that would also shut down its hospital systems, its air traffic control system, or its banking system?"

What country would be foolish enough to connect its power grid, hospital systems, air traffic control and it's banking system to the Internet.
No cyber-waterboarding or cyber-torture by Anonymous Coward · 2009-04-28 08:58 · Score: 5, Funny

I can just imagine the streaming video of masked men slowly lowering a powered-up motherboard into water while yelling "why did you portscan us?"
Yes by MikeRT · 2009-04-28 08:59 · Score: 5, Interesting

The US military should comport itself online similar to how it handles the distinction between government and civilian targets in physical battles. That means the US military should regard all Chinese and Russian systems as open, hostile targets of opportunity the way that those governments treat everyone else. However, the US military should refuse to use its resources for the betterment of the US economy, unless that is something like stealing Russian jet designs and handing them quietly over to Lockheed or Northrop Grumman to analyze.
Let's stop kidding ourselves that these countries are only responding to us. There are plenty of people who foolishly believe that the Russians and Chinese are only engaging in an arms race to keep up with us because they're "afraid of us." Bull. Fucking. Shit. Like hell they're scared of us. The reason they're doing this is obvious to anyone who has studied their history. For centuries they've been imperialists and aggressors, and now a young country has finally kicked them to the curb. It's a pride issue, not a national security issue. The moment we accept that is the moment we'll finally come to grips with what we're really dealing with here.
Conflict always been part of our history. War will always be with us. The lunacy that leads people to believe in progress to negate that is the same lunacy that has lead to the economic mismanagement that resulted in the Great Depression, the millennial bubble and our current fiasco. Basic facts about war, foreign policy and economics will always be with us.
The answer is no. by hey! · 2009-04-28 08:59 · Score: 5, Insightful

At least, not until provoked, and then only at resources demonstrably being used in actual operations against the US.
The reason is that we don't want politically motivated cybervandalism to be legitimized.
This is what I had against the whole neo-con "spread democracy" program. I'm all for spreading democracy, but it won't work unless you spread the values and institutions necessary to make democracy work. One of those is freedom of thought and expression. It makes no sense to promote democratic government in a country where you are conducting psyops campaigns and are complicit in or actually performing suppression of free speech.

--
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Proactive offence vs passive defence by Mr.Fork · 2009-04-28 09:00 · Score: 5, Insightful

As a former fed IT staffer and military specialist, our policies were always to be proactive. Resting is never a good place to be when an attack hits. Obama (and the rest of our NATO nations) need to have their own cyber-warfare military units to respond to any potential threat. With our economies being tied closer and closer each year to the internet, its now along the same lines of our need for energy and needs to be guarded as such.

Besides, I would rather these units proactively dismantle bot-nets, spynets, and spam-nets to protect our infrastructure than to constantly force the private companies to deal with the criminal and 'not-so-criminal-china-warfare' tactics going on today.

--
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
What a pointless question. by DarkEntity · 2009-04-28 09:31 · Score: 4, Funny

As an American, I think I already am pretty offensive to most people on the Internet.
*Aimed* is the crucial word. by teh+kurisu · 2009-04-28 09:46 · Score: 5, Interesting

Another is avoiding attacks aimed at civilians.

Israel's policy, which America supports, is that firing a missile into a block of flats full of civilians is okay, if they think a terrorist is in the building. The attack is not aimed at the civilians, they just happen to be there. I'm sure the same mindset would apply in this case.
Re:Huh? by Dishevel · 2009-04-28 10:40 · Score: 5, Insightful

We did ALOT!
We gave craploads of money to teachers unions and then made high school easy to pass without learning anything so the teachers did't look to bad
We passed onerous environmental and labor laws encouraging companies to abandon the US.
We ran around and screamed and yelled that everyone should be coddled and no one should be fired.
We did alot. We are getting exactly what we paid for.
We have strong unions getting massive benefits at the cost of the consumer and the citizen. Because smartly, the businesses pass on the true costs of what we wanted right back to us. If you don't like what you got, then look at us. Not "Evil big business".

--
Why is it so hard to only have politicians for a few years, then have them go away?
Re:what the US should do by World.Pop(MPAA) · 2009-04-28 11:24 · Score: 5, Funny

CLI baby. Go back to X windows from a command line. if the user doesnt want to do anything but what they have to on the computer, they won't be doing things that they shouldn't.
I think that's the most retarded comment of the day.
Re:Huh? by WindowlessView · 2009-04-28 12:47 · Score: 5, Interesting

We did ALOT! (sic)
WHO gave "craploads" to teachers unions? Those vastly over paid teachers? Or are you claiming some secret back door from the government because THAT would be worth a laugh. The people we do know got a crap load of money were the banks, investment companies, etc., who have spent the last 20 years sending their back office operations, research departments, telemarketing and customer service offshore.
You scream about letting the market work but when it does, you don't like it. You complain about taxes, pay the teachers dirt and wonder why you didn't get wonderful results. Oh, wait! You have "studies" showing that increased school budgets don't bring better results. Amazing, just amazing how that argument is never used against CEOs and investment bankers. Boo hoo, if we don't pay them enough the best and brightest will run off to Dubai!
You blame some poor schnook doing their best for 35k/yr because they can't compensate for the sins of parents who pass on to their kids the attitude that the "piece of paper" is the only important thing. Or a society that wholly devalues and is embarrassed by academic achievement. Or the array of ipods, text messaging, facebook, and other trivialities that mommy and daddy buy for their precious offspring and allow them use without consequence.
You set up and continue a dysfunctional system of local schools supported largely by community property taxes so that the difference between going to a public high school in Bethesda, MD and Washington, DC is comparable to going to school at Choate Academy and a village in Angola. And then you bemoan 50% drop out rates and the that 2/3rds of school children can't find their state on a map.
Yeah, blame it on the teachers unions. That's really where the problem is.
We passed onerous environmental and labor laws encouraging companies to abandon the US.
Right those nasty workers and their unions again. Imagine them wanting to work in places with basic safety measures and living in communities that aren't poisoned by their employers. Because, oddly enough, it NEVER seems to be the CEO's house that sits atop the toxic waste dump.
We have strong unions getting massive benefits at the cost of the consumer and the citizen.
Oh Lordy, do I EVER know what you mean! Who would have thought that 7% of the private sector that belongs to unions could cause SUCH problems. My god, they show up in doctor's offices now! You just can't get reservations at Spago anymore. And skiing at Vale, well don't get me started!

--
Leave the gun, take the cannolis.
Re:what the US should do by Wildclaw · 2009-04-28 16:00 · Score: 4, Interesting

The only issue here is: should the OS trust the sysadmin?
No. The OS should only trust the combination of a verified sysadmin and a verified program.
That is what is sorely lacking in the security models coming from the mainframe era. It is based only on the level of trust of the user, but completly ignores the programs that the user runs.
Remember the story about the trojan horse. The problem wasn't that the people who pulled the horse into the city weren't trusted, because they were. The problem was that they didn't adequatly guard/check the horse which was an untrusted object.
Computer security needs to make it easier for those who want to use the computer to run programs but also want to be security minded. And that means increasing the ability to set access rights of program.
I should be able to do stuff like give any executable in the "notsotrusted" directory no internet access, as well as read only access to the documents folder, except for documents accessed via the operating system file dialog. And these access rights should work together with user access rights, so you would need both to be allowed access.
Of course, that is mostly me dreaming, because I don't think I'll see it in a very long time if ever. In the meanwhile I'll just keep use sandboxie or other sandbox programs to keep the least trusted programs seperated from the rest. It does work pretty well, but the lack of integration with the operating system is noticable.