Schneier Recommends Nuclear-Style Cyberwar Hotlines, Treaties

← Back to Stories (view on slashdot.org)

Schneier Recommends Nuclear-Style Cyberwar Hotlines, Treaties

Posted by Soulskill on Friday December 3, 2010 @08:34AM from the mr-president-tear-down-that-firewall dept.

strawberryshakes writes "Cyberwar is the new nuclear war. Bruce Schneier says governments should establish hotlines and treaties outlining the protocol surrounding cyberwar, just as they would for any other war. He wrote in the Financial Times (paywalled, but available through Google), 'A first step would be a hotline between the world’s cyber commands, modelled after similar hotlines among nuclear commands. This would at least allow governments to talk to each other, rather than guess where an attack came from. More difficult, but more important, are new cyberwar treaties. These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities. The Geneva Conventions need to be updated too. Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed.'"

18 of 123 comments (clear)

Min score:

Reason:

Sort:

Oh boo hoo... by moosehooey · 2010-12-03 08:38 · Score: 2, Insightful

So what if the Chinese DDoS the internet for a while? OMG, twitter might go down!!~!eleventy!
I think the ISP's will be much more effective in fixing any problems, possibly by blocking all traffic from the offending country, if it comes down to that.
1. Re:Oh boo hoo... by plover · 2010-12-03 09:24 · Score: 3, Interesting
  
  I think the ISP's will be much more effective in fixing any problems, possibly by blocking all traffic from the offending country, if it comes down to that.
  This is "cyberwar" (their word, not mine) we're talking about. General Hayden, the former Director of the NSA, spoke at Blackhat on the topic this summer. He said that the Internet today resembles a vast indefensible plain, and that an enemy attack can come from anywhere. He thought (hoped?) a kind of "geography" would eventually evolve on the internet, allowing for tactical maneuvering, permitting the kind of strategies warriors like to fight and defend from. You're alluding to a similar type of thinking, where if the attack comes from China, you pull the cable on the back of your router marked "From China".
  It's that kind of thinking that's unfortunately going to fail at cyberwar.
  If I'm attacking your country's systems, I'm not coming from China. I'm hopping hacked servers and networks from China to Estonia to Russia to France to London to New York. If it's a DDoS attack, I'm not commanding a million Chinese PCs to send you SYN packets, I'm sending one instruction to a command and control network to tell an army of zombies across the country and globe to send you SYN packets. Or I'm activating the hostile commands buried in my counterfeit Cisco routers spread across your country by cheapo eBay resellers.
  The best defense against info-warfare is to have a good alternate strategy. Twitter may not need backups, but Wall Street does. Industrial plants and the electrical grid need air gaps (and obviously a lot more protection than they have today.) The armed services need an isolated network. So does the intelligence community. The first, second, and third jobs of cybercommand should be creation of these defense plans.
  
  --
  John
2. Re:Oh boo hoo... by fishexe · 2010-12-03 12:53 · Score: 2
  
  The best defense against info-warfare is to have a good alternate strategy. Twitter may not need backups, but Wall Street does. Industrial plants and the electrical grid need air gaps (and obviously a lot more protection than they have today.) The armed services need an isolated network. So does the intelligence community. The first, second, and third jobs of cybercommand should be creation of these defense plans.
  They need all those things and also a good, well-enforced policy to keep defense/intelligence employees' ad hoc sneakernet from de-isolating the isolated networks. Witness the recent near-destruction of Iran's nuclear program at the hands of Stuxnet, which is believed to have been brought into the nuclear facility's isolated network by a scientist using a thumb drive to take work home with him.
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Stockpiles?...of cyber weapons? by Last_Available_Usern · 2010-12-03 08:38 · Score: 4, Funny

What exactly is a stockpile of cyber weapons? A room full of nerds and a case of Mountain Dew?
1. Re:Stockpiles?...of cyber weapons? by Sarten-X · 2010-12-03 08:43 · Score: 4, Insightful
  
  Probably something along the lines of a number of botnets, zombies, secret 0-days vulnerabilities, etc.
  It's pretty easy to picture governments building up large botnets of their own machines, ready to tear down any site they want. Limits on that would be good, I think.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
2. Re:Stockpiles?...of cyber weapons? by KublaiKhan · 2010-12-03 08:45 · Score: 2
  
  That was my question.
  
  Would the stockpile be counted MAFIAA-style, with each copy, download, and upload counting as a 'unit'?
  
  Or would the stockpile be counted in lines of code? Perhaps in terms of algorithms used? Type of weapon?
  
  Given the rate of development that "cyberweapons" undergo, I think that 'stockpiling' would, in reality, mostly refer to the archive room with a bunch of obselete software cluttering up DVDs.
  
  --
  In Xanadu did Kubla Khan
  A stately pleasure dome decree
Or by 0123456 · 2010-12-03 08:41 · Score: 3, Insightful

We could just ban the use of Windows in critical IT infrastructure.
1. Re:Or by mangu · 2010-12-03 10:04 · Score: 2
  
  No OS is secure. There is -always- a way in, even if it's just social-engineering the guy with the passwords.
  True. But I'd bet that the lock in the safe in my bank is more secure than the lock in my suitcase.
  To say "No OS is secure" is very different than saying all OSes are equally insecure.
2. Re:Or by KublaiKhan · 2010-12-03 10:33 · Score: 2
  
  True enough--but the point is that the sole action of switching OSs will not cause any real gains in security.
  
  Gains in security can only be made with an organizational dedication to security from the top down--everyone involved must be made to realize the risks involved, and mitigations of these risks must be performed (and checked) at every level.
  
  So if you switch over to Linux, great, good job. But if your secretary still opens every funny email that shows up, sooner or later you're going to get hit.
  
  --
  In Xanadu did Kubla Khan
  A stately pleasure dome decree
bad analogy ! by JonySuede · 2010-12-03 08:42 · Score: 4, Insightful

Cyberwar is the new nuclear war.
No it's not. it used to be that nuclear weapons were out of reach for a private entity. It is not the case with cyberweapons. How do you regulate the action of the mafia or the triads ? How do you apply a treaty onto an individual ? Treaty and regulation works for limited availability weapon but for something as easy to produce, I dont see how it could work.

--
Jehovah be praised, Oracle was not selected
1. Re:bad analogy ! by N0Man74 · 2010-12-03 09:29 · Score: 3, Insightful
  
  Exactly. Such an idea is rather worthless.
  Threats to networks could come from governments, but they can also come from extremists, corporations, hobbyists, or a legion of meme-spewing 4-channers.
  The targets can be just as varied. They might target corporate networks, government networks, utility infrastructures, or a website that happens to of highly political interest.
  Even if governments agree to such treaties, how do we know that they won't operate secretly anyway, and just blame cyber criminals or rogue groups if they do launch an attack? It's not like data packets in cyber attacks carry flags.
Cyber weapons = Nuclear weapons by Fibe-Piper · 2010-12-03 08:44 · Score: 2, Interesting

Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel. Israel would immediately engage in a retaliatory strike and country X would be the winner (assuming they are anti Iran and at least neutral in their relations with Israel).
Country X in this case just became a nuclear power without ever facing embargoes, or hostility from the US.

--
I went to battle M.C. Escher, but drew a blank.
Exaggeration by flyingfsck · 2010-12-03 08:50 · Score: 3, Insightful

Hmm, he seems to be seriously exaggerating the threat. Network attacks are very easy to defend against and the damage is negligible compared to a real military attack. So this is plain stupid.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Cyberwar Hotline by HTH+NE1 · 2010-12-03 09:01 · Score: 4, Funny

"Hello, cyberwar hotline. Have you tried turning it off and back on again?"

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Missing the Point, entirely by Haedrian · 2010-12-03 09:12 · Score: 2

"These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities."

There are tons of major differences between a nuclear weapon and cyber-'weapons' .

Firstly, how do you work out who sent it? A nuclear warhead is pretty easy to track - but what about Stuxnet?

Also, civilians aren't generally capable enough to create their own nuclear weapons, they can make cyber-'weapons'.

What it'll end up with is everyone agreeing that cyber-weapons are bad and banned, then doing stuff in secret.

The solution is better security. Yes, its an impossible goal - but its still more realistic than having the president going- "Dammit! My facebook has been DDOSed. Someone get me the Kremlin!"
Re:Oh, please. by memyselfandeye · 2010-12-03 09:15 · Score: 3, Interesting

Gimme a break. When I see a hacker kill off 100,000 people, then I'll take that statement seriously.
Jesus Christ, hyperbole is becoming the norm these days.
QFT! Last time I checked a DDOS isn't capable of evaporating several hundred square miles like an ICBM with 6x600kT warheads. I think our leaders and 'thinkers' need to play around with a google maps mashup here, and see some friggin' clarity!
cyberwar isn't about nation-states! by strangelovian · 2010-12-03 09:16 · Score: 3, Insightful

Schneier is assuming that in cyberwar the main actors are going to be nation-states. Look at Wikileaks; that's a form of cyberwarfare and I don't see how a hotline between the US president and the Chinese premier is going to help. We're entering a post-nation-state era, but Schneier sounds like he's using models from the 1960's.
It makes sense, considering the following scenario by Securityemo · 2010-12-03 10:08 · Score: 3, Insightful

*calls FSB major*

Yo! You don't know who I am, and I'm not sure how I got your number, but there's this thing going down in the internal networks of a few dozen hospitals here, and we're tracing it back to a site in your country. Our expert will soon be on it (god willing, assuming we can find them and brief them and give them access to the binaries) but the code obfuscation and anti-reversing features are like acts of god almighty, and amusingly treated as such by the insurance companies. Could you please help us catch these crazy bastards for interrogation about the stopping key... pulling the plug? That won't work, it's a self-contained virus, bricking shit like a startled soviet-era comedian. Talk to my boss? Well, I'm not sure he knows how to deal with this... or for that matter which one of my bosses I'm supposed to call...

As (potentially) opposed to:

*calls the kr3ml1n h4x0r bünk3r (actual official name) from the American Cyber Command (actual official name)*:
Hello, we've got a massive self-replicating attack on our internal networked hospital equipment, much like the scenario we discussed a few months ago. We can't break the obfuscation, and IDA Pro gets eaten up from the inside by trying to analyze it, but you guys might have more luck with the binaries we've managed to capture. Also, some versions of the code communicates with a site in Russia - it's probably botnet nodes, but the "scary men in helicopters" protocol you spoke about using internally might work anyway.

Not to talk about the difference in reaction speed between the two.

--
Emotions! In your brain!