Slashdot Mirror
Schneier Recommends Nuclear-Style Cyberwar Hotlines, Treaties
strawberryshakes writes "Cyberwar is the new nuclear war. Bruce Schneier says governments should establish hotlines and treaties outlining the protocol surrounding cyberwar, just as they would for any other war. He wrote in the Financial Times (paywalled, but available through Google), 'A first step would be a hotline between the world’s cyber commands, modelled after similar hotlines among nuclear commands. This would at least allow governments to talk to each other, rather than guess where an attack came from. More difficult, but more important, are new cyberwar treaties. These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities. The Geneva Conventions need to be updated too. Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed.'"
So what if the Chinese DDoS the internet for a while? OMG, twitter might go down!!~!eleventy!
I think the ISP's will be much more effective in fixing any problems, possibly by blocking all traffic from the offending country, if it comes down to that.
What exactly is a stockpile of cyber weapons? A room full of nerds and a case of Mountain Dew?
Cyberwar is the new nuclear war.
Gimme a break. When I see a hacker kill off 100,000 people, then I'll take that statement seriously.
Jesus Christ, hyperbole is becoming the norm these days.
How else could you trust the caller? Phones are just another form of IT.
My first reading of the headline was "Schneier recommends nuclear war." Would have been a more interesting article...
If this is going to go on for a few days, they'd better stock up on the Dew!
We could just ban the use of Windows in critical IT infrastructure.
I have the feeling this will end up being better in theory than implementation.
Cyberwar is the new nuclear war.
No it's not. it used to be that nuclear weapons were out of reach for a private entity. It is not the case with cyberweapons. How do you regulate the action of the mafia or the triads ? How do you apply a treaty onto an individual ? Treaty and regulation works for limited availability weapon but for something as easy to produce, I dont see how it could work.
Jehovah be praised, Oracle was not selected
Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel. Israel would immediately engage in a retaliatory strike and country X would be the winner (assuming they are anti Iran and at least neutral in their relations with Israel).
Country X in this case just became a nuclear power without ever facing embargoes, or hostility from the US.
I went to battle M.C. Escher, but drew a blank.
Quick! pick up the red emergency phone and dial the 16 year old 3l33t hax0r general in charge so he can fire the scripts! For great lols!
Hmm, he seems to be seriously exaggerating the threat. Network attacks are very easy to defend against and the damage is negligible compared to a real military attack. So this is plain stupid.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
see: a taste of armageddon
It's another case of doing everything but locking and securing a sufficiently resistant cockpit door.
For justice, we must go to Don Corleone
Can we make facebook a civilian target?
Substitute smoke for electrons if that makes it more understandable and gives a better visual for the hotline idea.
Someone forgot to make a rule, that everybody will follow of course, not to mess with the IP phones used for the hotline. Can't mess with the networks they run on either!
Home of The Suki Series
Will it mean hackers and the like will be considered enemy combatants if taken prisoners? Won't they have to wear uniforms to distinguish themselves from 'terrorists'?
Too bad the black berets are already taken by the USAF. How about black hoodies?
I'm also pretty sure some will insist on including dice, wands or xkcd quotes...
"Hello, cyberwar hotline. Have you tried turning it off and back on again?"
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel. Israel would immediately engage in a retaliatory strike and country X would be the winner (assuming they are anti Iran and at least neutral in their relations with Israel).
Country X in this case just became a nuclear power without ever facing embargoes, or hostility from the US.
What?!? Complete nonsense. That was thought of back in the 50s.
The Stuxnet went after control systems in nuclear power plants. The only thing that happened was they couldn't run - BFD.
Nuclear weapons have human controls - nothing gets launched without a human being turning keys and pressing buttons.
Geeze!
Who will tell you to run the recovery CD.
Aren't these just fancy encrypted telephones between superpowers? Why do they need different hotlines for different crises?
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
all your FaceBook are belong to us
"These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities."
There are tons of major differences between a nuclear weapon and cyber-'weapons' .
Firstly, how do you work out who sent it? A nuclear warhead is pretty easy to track - but what about Stuxnet?
Also, civilians aren't generally capable enough to create their own nuclear weapons, they can make cyber-'weapons'.
What it'll end up with is everyone agreeing that cyber-weapons are bad and banned, then doing stuff in secret.
The solution is better security. Yes, its an impossible goal - but its still more realistic than having the president going- "Dammit! My facebook has been DDOSed. Someone get me the Kremlin!"
Schneier is assuming that in cyberwar the main actors are going to be nation-states. Look at Wikileaks; that's a form of cyberwarfare and I don't see how a hotline between the US president and the Chinese premier is going to help. We're entering a post-nation-state era, but Schneier sounds like he's using models from the 1960's.
Do you think the cyber-guerrillas will respect the Geneva convention? The international cyber-banks will be the first to go in a world-wide-cyber-war!
The cyber-dead will be strewn about the cyber-fields, and cyber-children will run in terror from cyber-napalm. WE'LL REVERT TO PRE-CYBER CIVILIZATION!
So... like today, but instead of cyber-dot, to complain about greedy corporations we'll have to go talk to our neighbors.
I find it interesting that Bruce, who is a pretty savvy guy, would suggest treaties for 'cyber warfare' that are analogous to those employed in conventional warfare. The problem is, as illustrated by the snarky remarks in this thread, is that the internet is so unlike anything else that such treaties would be pointless.
How are you going to verify that someone else is complying? Its one thing to be able to count missile silos or uranium mining operations, but how do you make sure that someone isn't researching methods for retasking criminal botnets for military purposes or preping viruses for targeted release? His suggestions are comically out of touch...
HA! I just wasted some of your bandwidth with a frivolous sig!
Tell me that the attacks both visible (from idiots like Lieberman) and less visible (from so-called "hackers") are not the signs of cyberwarfare being directed against the power of free information via Wikileaks.
I guess the internet really IS serious business!
Or maybe Bruce is thinking ahead at what the Internet might be like a few years down the road.
If the governments had as much control over the internet as they wanted to, these treaties might be made under the assumption that each country keeps its house in order. Much like if a bunch of Canadians took up arms and started marching on American the Canadian Government would be in hot water trying to explain that one.
Same thing here - if you can't keep your own hackers and crackers in line than you pay the consequences. It would be entirely possible to expect that kind of control over their own segregrated parts of the internet. They keep bringing up this idea of an "Internet Killswitch" in the states. That could be used to stop both incomming and outgoing attacks.
*calls FSB major*
Yo! You don't know who I am, and I'm not sure how I got your number, but there's this thing going down in the internal networks of a few dozen hospitals here, and we're tracing it back to a site in your country. Our expert will soon be on it (god willing, assuming we can find them and brief them and give them access to the binaries) but the code obfuscation and anti-reversing features are like acts of god almighty, and amusingly treated as such by the insurance companies. Could you please help us catch these crazy bastards for interrogation about the stopping key... pulling the plug? That won't work, it's a self-contained virus, bricking shit like a startled soviet-era comedian. Talk to my boss? Well, I'm not sure he knows how to deal with this... or for that matter which one of my bosses I'm supposed to call...
As (potentially) opposed to:
*calls the kr3ml1n h4x0r bünk3r (actual official name) from the American Cyber Command (actual official name)*:
Hello, we've got a massive self-replicating attack on our internal networked hospital equipment, much like the scenario we discussed a few months ago. We can't break the obfuscation, and IDA Pro gets eaten up from the inside by trying to analyze it, but you guys might have more luck with the binaries we've managed to capture. Also, some versions of the code communicates with a site in Russia - it's probably botnet nodes, but the "scary men in helicopters" protocol you spoke about using internally might work anyway.
Not to talk about the difference in reaction speed between the two.
Emotions! In your brain!
I know you are also not allowed to own unlicensed radioactive sources over a certain, minuscule, vastly smaller than the critical mass of uranium or plutonium isotopes.
What about materials in the ground? Building materials?
I know this is nitpicking, but there is uranium in many rocks. If you own a big quarry, there could be a lot of uranium, certainly above the limit you are theoretically allowed to own, in those rocks.
Or what about real estate? In some places there's no distinction between soil and underground for ownership purposes. If you own a tract of land you own all that's between the surface and the center of the earth. There's certainly enough uranium to build a bomb in that 6378 km tall inverted pyramid of rock.
He's usually a LOT more intelligent than that.
2nd - be proactive. Pass a law that requires that each ISP check the packets on their network and do NOT forward any packets that do not match the addresses they control. There, spoofing is pretty much dead.
3rd - whitelists, not blacklists. Know who you absolutely must have an Internet connection to and why. If someone is flooding your network, block everyone else. (yeah, this won't work for Amazon or eBay)
4th - it's the GOVERNMENT. Use your purchasing power to demand real improvements in security.
I'd like to point out that nuclear war is much worse then cyber war. Ask the people of Japan if you'd like an opinion. In fact, some might say to draw such an analogy is godwin like.
Back in the day... who really could launch nukes? Hell even today how many people could build a nuke... friggen governments cant even do it. So yes you could get your dozen groups communicating and that stops it from happening. You are able to talk to everyone who can do it. Very diplomatic Today on the otherhand 23 year old guys control 500,000 zombie botnets. Computer security itself is terrible to the point basically a huge number of independants have the power to do the job. So what are governments doing to open communication with these people? They are trying to identify them in order to arrest or as the usa says "the Department of Defense is prepared, based on the authority of the President, to launch [...] an actual bombing of an attack source or a cyber counterattack." This isnt diplomatic at all.
Richard Clarke in his book Cyber War calls for some of the same kinds of controls. He calls for banning attacks on civilians, especially the banking system. He also calls for arms inspectors and an obligation of nations to assist in finding the source of attacks that come from within their borders. He calls for a "Cyber War Limitation Treaty" that would also ban putting logic bombs in civilian infrastructure. I really liked this part of the book.
peace,
isaac
*calls FSB major* Yo! You don't know who I am, and I'm not sure how I got your number, but there's this thing going down in the internal networks of a few dozen hospitals here, and we're tracing it back to a site in your country. Our expert will soon be on it (god willing, assuming we can find them and brief them and give them access to the binaries) but the code obfuscation and anti-reversing features are like acts of god almighty, and amusingly treated as such by the insurance companies. Could you please help us catch these crazy bastards for interrogation about the stopping key... pulling the plug? That won't work, it's a self-contained virus, bricking shit like a startled soviet-era comedian. Talk to my boss? Well, I'm not sure he knows how to deal with this... or for that matter which one of my bosses I'm supposed to call... As (potentially) opposed to: *calls the kr3ml1n h4x0r bünk3r (actual official name) from the American Cyber Command (actual official name)*: Hello, we've got a massive self-replicating attack on our internal networked hospital equipment, much like the scenario we discussed a few months ago. We can't break the obfuscation, and IDA Pro gets eaten up from the inside by trying to analyze it, but you guys might have more luck with the binaries we've managed to capture. Also, some versions of the code communicates with a site in Russia - it's probably botnet nodes, but the "scary men in helicopters" protocol you spoke about using internally might work anyway. Not to talk about the difference in reaction speed between the two.
So you're the guy they hire to fill in where the script says [tech]!
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Do you realize that in addition to IPv6 routers, why, there are studies underway to put IPv6 in PCs, set top boxes, cell phones, VoIP gateways, toasters, video game consoles? Video game consoles, Mandrake. Children's video game consoles?
No one is amused by you, or interested in your ideas. Re-evaluate your life.
If you examine your sig, you'll see that it can't possibly be true:
rule number 1 of slashdot: ANY thread can be twisted into a bash of microsoft. no exceptions.
You appear to have focused on the second part, without realizing that some threads (and indeed, whole articles) start out as microsoft bashing, and therefore can only be twisted into something other than a microsoft bash, if indeed, they can be twisted at all.
Can you be Even More Awesome?!
Dude-NON-FREE SOFTWARE CONTROLS THE COMPUTERS AROUND THE WORLD. This means America. It is why we have the problems we have today. You can't simply "put your house in order". The problem can't be fixed. What happens now is everything gets swept under the rug. Anti-virus companies don't fix bugs. They release "definitions" which are a complete fraud. It lets anti-virus companies say they are protecting you because they can detect a handful of pieces of malicious code. The truth is they don't detect the majority of junk floating around which is why virus removals are so common. It isn't just because people are stupid (not that they aren't). The non-free software industry doesn't help either. Neither Microsoft nor Apple have an "app store" for the desktop like GNU/Linux distributions. The only company as far as I'm aware that exists right now you can actually buy a computer that an average user can use is www.thinkpenguin.com. They're mainly targeting the masses in Louisiana, New Jersey, Pennsylvania, and Oregon (with local operations) even though they are selling throughout the USA right now.
Brilliant! That would make critical IT infrastructure less diverse, and make it even more likely everything could be taken out with a single zero day attack.
Beware of bugs in the above code; I have only proved it correct, not tried it.
The value of my life is undefined.
Emotions! In your brain!
Exactly. Such an idea is rather worthless.
Threats to networks could come from governments, but they can also come from extremists, corporations, hobbyists, or a legion of meme-spewing 4-channers.
The targets can be just as varied. They might target corporate networks, government networks, utility infrastructures, or a website that happens to of highly political interest.
Even if governments agree to such treaties, how do we know that they won't operate secretly anyway, and just blame cyber criminals or rogue groups if they do launch an attack? It's not like data packets in cyber attacks carry flags.
Exactly. Such an idea is rather worthless.
Threats to networks could come from governments, but they can also come from extremists, corporations, hobbyists, or a legion of meme-spewing 4-channers.
The targets can be just as varied. They might target corporate networks, government networks, utility infrastructures, or a website that happens to of highly political interest.
Even if governments agree to such treaties, how do we know that they won't operate secretly anyway, and just blame cyber criminals or rogue groups if they do launch an attack? It's not like data packets in cyber attacks carry flags.
http://www.jordaner.com
In outline, michael jordan shoes are current for little players. It is undeniable that are well designed for basketball players and the panel members would better clothes the sports shoes they bestow for. They can wear Jordan shoes when the play basketball and never fear about the luxurious shoes. Anyhow, it proved that air jordans are any people who discover The popularity of extensive Jordan shoes, it is unquestionable that it will be more common. Many Jordan shoes suppliers now present general Jordan shoes at blanket estimate will be good newscast for his devotion to garb Air Jordan 22 shoes when he can to absorb more people to buy.
http://www.jordaner.com
They keep bringing up this idea of an "Internet Killswitch" in the states. That could be used to stop both incoming and outgoing attacks.
An Internet killswitch is about as viable as a perpetual motion machine. Assuming that you could round up all the possible avenues into and out of the united states (and there are a LOT of them, not just a few major landlines), and get the collective owners to agree that a killswtich is a good idea, you can only realistically kill all traffic, since filtering is unrealistic. If you do this, you will cause far more internal economic damage than any hacking attempt could ever cause. Plus, it doesn't stop anything that is happening inside the country. (say, a Russian mob running a phishing botnet remotely.)
He isn't thinking ahead. My point was that that he is suggesting trying to think about a fundamentally new and different problem using conventional thought. You cannot realistically monitor a countries virtual military activities.
HA! I just wasted some of your bandwidth with a frivolous sig!