Cyber Commander Says It's 'Not Realistic' To Shut Down Internet

An anonymous reader links to a report on Washington Examiner: It simply would not be possible to shut down areas of the Internet that terrorists use to conduct malicious activity, the head of U.S. Cyber Command told a Senate panel on Tuesday. "In a very simplistic way, people ask why can't we shut down that part of the Internet. ... Why are we not able to infiltrate that more?" Sen. Joe Manchin, D-W.Va., asked Cyber Command leader Adm. Mike Rogers during a hearing on the agency's budget for fiscal 2017. Manchin maintained it was a common question from his constituents. "I've had people ask me, can't you just stop it from that area of the world where all the problems are coming, be it Syria or in parts of Iraq or Iran," he said. "I'm not just trying to find an answer, because that question is asked like shut her down, like you do your telephone, but it doesn't work that way," Manchin concluded.

Yes it is

If Kim K can do it!!

Resilient by design

[FrankHaynes]

Knuckleheads. ARPAnet and MilNet were designed to be resilient against centralized attack and outages.

"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"

Re:Resilient by design

[Austerity+Empowers]

centralized attack and outages.

On network infrastructure. I'm not sure they envisioned such wildly insecure and widespread endpoints, even within government (and military!) walls. They envisioned bombs taking out data-centers. They clearly didn't envision the low orbit ion cannon.

Re:Resilient by design

[phishybongwaters]

That's not the same thing as denying CountryA from accessing the internet. The internet, because of routing, can continue on just fine, but we totally have the power to block or restrict regions from this network, without destroying the network.

Re:Resilient by design

[fustakrakich]

"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"

Yeah, well, with three strikes, it will be in your house. Service provision is conveniently accomplished through a small number of big corporations that will be more than happy to flip the switch and turn off your internet.

Re:Resilient by design

[guruevi]

No we don't. The Internet considers censoring as damage and routes around it. Each country has telephone lines and satellite communications. If you shut down the "Internet" from routing through it's common carriers (fiber etc) someone can hang a few thousand 56k modems on their phone systems and call in to their neighbors or even through the censoring country and connect all their traffic that way. Same goes for satellite, just bounce it around a few times and it can come from anywhere.

That's how Syrians and Iranians were still able to connect after their countries shut down their internets.

Re:Resilient by design

[Locke2005]

"The Net interprets censorship as damage and routes around it" -- John Gilmore

Re:Resilient by design

[GLMDesigns]

Unless they kill you first. (Not condoning or desiring such an outcome for any of us)

But there are people out there who strap bombs on their bodies and kill non-combatants in order to create a better, more just world. (In their demented minds)

Re:Resilient by design

[Ungrounded+Lightning]

ARPAnet and MilNet were designed to be resilient against centralized attack and outages

During the evolution from those networks to the current, commercialized, information utility, much of that design was abandoned. We have migrated from an everything-is-redundantly-multiconnected, route around failures, survive a nuclear exchange system to a hierarchy, with a distinction between core and edge, where loss of certain boxes can shut down 10,000 to 100,000 end user sites.

(That's why those boxes are designed with internal reduncancy, like a telephone exchange. And I know them intimately, having spent over a decade designing parts of them.)

The core/backbone does retain some of the features of the Internet's cold-war-survival origin (though the transition to fiber and physical ring layouts made that more vulnerable to multipoint failures, as well.) So some of it still has part of the old robustness.

Then there are new services which added new dependencies (and sometimes new surprises when something goes down or goes away and a lot of stuff breaks).

And to top it off, the discussion is not about government actors managing to taking the net down, but identifying and surgically cutting off a designated portion of it.

So arguing from the characteristics of the robust-against-nukes network design we once had - and haven't had for decades - isn't particularly germaine.

Re:Resilient by design

[Ungrounded+Lightning]

... someone can hang a few thousand 56k modems on their phone systems and call in to their neighbors ...Same goes for satellite, just bounce it around a few times and it can come from anywhere.

WiFi is good for a LONG way, and a lot of bandwidth, too, especially if you use an old big-ugly-dish satellite antenna reflector at one or both ends.

(Then there's OpenBTS and the like for bringing up cellphones - and bridging them to VoIP - when the government has spiked that network...)

Re:Resilient by design

[Hognoxious]

The Internet considers censoring as damage and routes around it.

Nice one. Never heard that before.

routing through it's common carriers

One, that should be "its". Two, "common carrier" doesn't mean what you think it does.

Same goes for satellite, just bounce it around a few times and it can come from anywhere.

That's how Syrians and Iranians were still able to connect after their countries shut down their internets.

Right. Personal satellite ownership is almost universal in those countries.

Re:Resilient by design

[Gr8Apes]

On network infrastructure. I'm not sure they envisioned such wildly insecure and widespread endpoints, even within government (and military!) walls.

Considering that the original version of the internet had your computer hooked directly to the backbone or pretty close to it with no security features at all as firewalls etc hadn't been developed yet, I'd say they couldn't have envisioned anything else. LAN/MAN/WAN etc were just descriptions of how degraded your connectivity became (across a LAN it was OK, WAN could be a 12Kbps link)

Re:Resilient by design

[guruevi]

Actually personal satellite dishes and even 2 way transponders for satellites are quite common in the Middle East. That's the primary way that people there get TV and the more rich also get data and phone communication that way. Al Jazeera for example is primarily satellite based broadcasting.

Re:Resilient by design

[guruevi]

The internet you use may be walled gardens. I like my TCP/IP though, perhaps I'm one of the few that still remembers that we still have an Internet without Facebook and Google.

Re:Resilient by design

[vux984]

No we don't. The Internet considers censoring as damage and routes around it

Not so much anymore.

Even I had a 100Mbp connections and my neighbor across the border had the same, and we decided to connect them, we'd be able to cross browse, but the internet at large would still be pretty much down because we can't advertise the route.

And even if we could, the amount of traffic that might try to come through might overwhelm and render the link so saturated as to be useless for all but the simplest tasks. (e.g. anything that needed a tcp connection would suffer too much packet loss to work... )

The internet's designed to be reslient to damage in the sense that it can route around it if we want to, with dynamic routing, redundant links, route advertising etc etc but the control over that stuff is mostly pretty centralized now. And most sites are little more than endpoints that couldn't link two parts of he network back together even if they wanted to had the physical resources and connections and cables to do it, they still can't advertise the routes etc. My packets will never find that link.

To completely black out the internet would be hard, after all two guys could even pass packets using smoke signals in theory...but how much bandwidth is that? :) But to take it 99.9% down would be relatively trivial.

Re:Resilient by design

[rtb61]

So it simply needs a core change in internet protocols, a design changed from all allowed and only some blocked to all blocked and only some allowed. Pretty much what it needs to be to be considered as suitable as an internet for minors, this versus an internet for adults. Basically with an all blocked and only some allowed network, unless it is verified, checked and audited, it's traffic is blocked by default at routers, this means you can not route around that block because you only can route to other blocks. Without having been allowed prior to access, you simply can not gain access. You are in affect requiring licensing of any individual IP and Mac address, prior to it's use and only those specific ones are allowed through the network and this can also incorporate known initial access points and follow on routes (a defined possible legal trail, to block spoofing with impossible to connect in reality routes, just falsely identified traffic). With current investment in infrastructure, no longer possible except for a new parrallel restricted network, say one suitable for minors.

Re:Resilient by design

[lgw]

You can still "turn off the internet" for a country you don't like, but it will require bombs to be thorough. Or for an island nation, there will be few enough cables to cut.

Obviously, TFA was distinguishing between a routing-only solution and military action, but I'm, not sure how legitimate that is. At some point (as dependence on the internet increases) taking a nation off the internet becomes just as much an act of war as sending your navy to blockade trade, at which point you might as well include some military action in your planning. Any country with natural or politically-imposed physical-layer bottlenecks between it and its neighbors is vulnerable.

Re:Resilient by design

[drinkypoo]

You're talking about creating a trusted network, and that will never work. Never, ever, ever. It will never work because all you have to do to compromise it is exploit a trusted host, and that is guaranteed to happen.

Re:Resilient by design

[eam]

I think he was referring to personal satellites.

Re:Resilient by design

[TemporalBeing]

No we don't. The Internet considers censoring as damage and routes around it

Not so much anymore.

Even I had a 100Mbp connections and my neighbor across the border had the same, and we decided to connect them, we'd be able to cross browse, but the internet at large would still be pretty much down because we can't advertise the route.

So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.

The option is basically to block everything outside your borders - in which case the Internet becomes an Intranet - or allow everything because if even one Allowed external entity has a route to someone you don't want to have access then that someone can get access to your network.

And that's not taking into account hopping via Sat-Com or Modems, etc as mentioned in the thread, which is yet another way to dial-in via routing around the problem area.

And yes, this was by design due to Cold War concerns by CIA, NSA, DoD, etc.

Re:Resilient by design

[TemporalBeing]

ARPAnet and MilNet were designed to be resilient against centralized attack and outages

During the evolution from those networks to the current, commercialized, information utility, much of that design was abandoned. We have migrated from an everything-is-redundantly-multiconnected, route around failures, survive a nuclear exchange system to a hierarchy, with a distinction between core and edge, where loss of certain boxes can shut down 10,000 to 100,000 end user sites.

(That's why those boxes are designed with internal reduncancy, like a telephone exchange. And I know them intimately, having spent over a decade designing parts of them.)

The core/backbone does retain some of the features of the Internet's cold-war-survival origin (though the transition to fiber and physical ring layouts made that more vulnerable to multipoint failures, as well.) So some of it still has part of the old robustness.

Then there are new services which added new dependencies (and sometimes new surprises when something goes down or goes away and a lot of stuff breaks).

And to top it off, the discussion is not about government actors managing to taking the net down, but identifying and surgically cutting off a designated portion of it.

So arguing from the characteristics of the robust-against-nukes network design we once had - and haven't had for decades - isn't particularly germaine.

You seem to have missed the resiliency of the Internet on 9/11 and how even though several major core backbone connections running under Twin Towers were completely severed almost no one noticed.

Re:Resilient by design

[vux984]

So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.

You are attacking the wrong problem. Country A doesn't want to block traffic from country B reaching country A. Country A wants to take country B off the internet entirely; and country A is already engaged militarily with B so it has options that include doing stuff IN country B.

So country A physically destroys the big fiber optic bundles at the borders and disables the satellite uplinks of country B by military force.

Country B is now pretty effectively cut off from A, C, D, E, F...

Re:Resilient by design

[TemporalBeing]

So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.

You are attacking the wrong problem. Country A doesn't want to block traffic from country B reaching country A. Country A wants to take country B off the internet entirely; and country A is already engaged militarily with B so it has options that include doing stuff IN country B.

So country A physically destroys the big fiber optic bundles at the borders and disables the satellite uplinks of country B by military force.

Country B is now pretty effectively cut off from A, C, D, E, F...

Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F). Country A can sever connections between Country A and Country B, but that will not prevent connections between Country B and Country C, D, E, or F. Country A can realistically only isolate itself.

A good example of how this really plays out and how difficult it is to really maintain such an enforcement is the Great Firewall of China. Now they're 99% of the example in that they do want some but very censored traffic to come in and go out.

Alternatively, look at the Middle East where Sat-Comm is a norm - all you have to do is have an account with an appropriate Sat Com vendor and there's NOTHING that Country A can do to prevent your traffic from crossing into their borders; or switch from SatCom to Cellular and it's not very different - just means you have someone sitting close to a border with enough cellular modems to make the same kind of service available without having physical links, and it's near impossible to really prevent them or block the RF, etc.

So no, my example is spot on when you look at reality.

Re:Resilient by design

[vux984]

Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F).

We simply aren't talking about the same thing.

You are trying to deny internet access to individuals in country B. And yes, that is extremely difficult to do.

I am talking about denying internet access to the country at large. And that is relatively easy to do. Because those few individuals near the border with satellites that didn't get bombed, or within cellular coverage range (perhaps via custom antenna configurations) they are JUST getting access for themselves and an extremely small local group. They aren't restoring the "internet" to that country. The internet is still down for pretty much everybody. That is the point I am making, that "the internet *can't* route around this damge".

Individuals being able to get themselves connected as consumer endpoints from inside a particular country is simply not even slightly the same thing as creating a new internet link to that country.

The "Great firewall of china" is completely unrelated.

just means you have someone sitting close to a border with enough cellular modems to make the same kind of service available without having physical links, and it's near impossible to really prevent them or block the RF, etc.

Unless that someone is able to establish a connection to the countries internet infrastructure and advertise the route all he's done is given himself and maybe his little local group internet access. And you are right, that's all but impossible to stop, but I'm talking about actually bringing the country back online (actually having internet access) with these "guerrilla" links and that doesn't work. Its just a few endpoints.

So no, my example is spot on when you look at reality.

As I said, we seem to be talking about achieving different goals.

Re:Resilient by design

[TemporalBeing]

Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F).

We simply aren't talking about the same thing.

You are trying to deny internet access to individuals in country B. And yes, that is extremely difficult to do.

I am talking about denying internet access to the country at large. And that is relatively easy to do. Because those few individuals near the border with satellites that didn't get bombed, or within cellular coverage range (perhaps via custom antenna configurations) they are JUST getting access for themselves and an extremely small local group. They aren't restoring the "internet" to that country.

Says who? They could set that up and have a connection running to be a provider for the country at large. Heck, the government could do it and provide internet to everyone. I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it, and thus restore connectivity.

Or take Mesh Networking into account (802.11s), and again it's accessible to anyone within range of the mesh network - hence the country at large, even if the country at large is routing through a couple Mesh Network devices connected to a few Sat Com devices (run from any where in the country) and Cell Modems around the border. Sure, performance is going to be poor but it wouldn't take much to restore *some* level of connectivity.

just means you have someone sitting close to a border with enough cellular modems to make the same kind of service available without having physical links, and it's near impossible to really prevent them or block the RF, etc.

Unless that someone is able to establish a connection to the countries internet infrastructure and advertise the route all he's done is given himself and maybe his little local group internet access. And you are right, that's all but impossible to stop, but I'm talking about actually bringing the country back online (actually having internet access) with these "guerrilla" links and that doesn't work. Its just a few endpoints.

Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use - which is one of the reasons why Country A may want to block Country B from being on the Internet - to prevent Country B's government from nefarious acts against Country A via the Internet. The fact that Country B can put a Sat Com in place to run those attacks over completely negates the issue of cutting the fibre servicing the residents. If they want to do it they'll find a way - even placing people to do so into Country C if necessary.

So no, my example is spot on when you look at reality.

As I said, we seem to be talking about achieving different goals.

No, you're missing the point.

Re:Resilient by design

[vux984]

I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it

That's a really weird definition of 'anyone' can do it. Most people CANNOT do it, and the people who can do it all belong to very specific organizations. That is pretty much the opposite of 'anyone'.

Further, even if they've got the ability to advertise new routes locally, good luck being able to get whatever entity they are connected to wirelessly to advertise the route. Best case, the small number of people who might be able to get the domestic internet to route packets along adhoc routes still aren't going to be able to get their foreign counterparts to advertise those ad hoc routs, so no packets are coming back.

Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use

Providing individuals internet service really has nothing to do with the internet's ability to route around damage though.

No, you're missing the point.

I'm definitely not missing the point that I am making.
I see what you are saying, but you are simply talking about something else entirely.

Lets try this another way.

The internet is like a spiderweb. And every node can communicate with every other along various paths. If I then cut a portion off the web off, then I have two separate webs. That can't communicate with eachother.

You on the other hand are making the argument that it's easy for anyone on the cut off half to throw a line over to the first half and get some service for themselves, and/or some others is absolutely correct. But it still doesn't create a bridge between the two webs again. They might have service but the other web is still cut off.

The number of people who have the ability to actually connect them back together is pretty small. Both sides of the connection have to have the ability advertise routes; and that's pretty rarefied these days.

Re:Resilient by design

[Coren22]

How would that effect the sat connections, or even wifi connection that could be setup to route around the damaged undersea cables? I have worked with people doing 25 mile 802.11 hops using a pizza box antenna, it is quite doable. So, unless the country is Australia, I think it won't be an issue getting linkups through your blockade.

Re:Resilient by design

[TemporalBeing]

I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it

That's a really weird definition of 'anyone' can do it. Most people CANNOT do it, and the people who can do it all belong to very specific organizations. That is pretty much the opposite of 'anyone'.

Further, even if they've got the ability to advertise new routes locally, good luck being able to get whatever entity they are connected to wirelessly to advertise the route. Best case, the small number of people who might be able to get the domestic internet to route packets along adhoc routes still aren't going to be able to get their foreign counterparts to advertise those ad hoc routs, so no packets are coming back.

If you want to go there, then you obviously missed the headlines last year that a lot of the Internet infrastructure is open to attack simply because it's extremely trusting that when someone advertises a route they actually own that route. Don't recall if that was fixed or not, but it was actually used to subvert some routes IIRC.

Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use

Providing individuals internet service really has nothing to do with the internet's ability to route around damage though.

Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C. The route may not be the most efficient (A->C) but if it can be made it will be made. Which is the entire point of this thread. You can only isolate yourself - if A has no routes out of A then C can never be reached, but once A has a route outside of A (B) then if C is reachable via that route then there is ultimately nothing A can do to prevent users within A to get to C.

No, you're missing the point.

I'm definitely not missing the point that I am making. I see what you are saying, but you are simply talking about something else entirely.

Lets try this another way.

The internet is like a spiderweb. And every node can communicate with every other along various paths. If I then cut a portion off the web off, then I have two separate webs. That can't communicate with eachother.

You on the other hand are making the argument that it's easy for anyone on the cut off half to throw a line over to the first half and get some service for themselves, and/or some others is absolutely correct. But it still doesn't create a bridge between the two webs again. They might have service but the other web is still cut off.

The number of people who have the ability to actually connect them back together is pretty small. Both sides of the connection have to have the ability advertise routes; and that's pretty rarefied these days.

As someone who has done networks, only one side really needs to know about the other. If you don't care about data connecting outside in, then advertising the route on the inside only is quite sufficient - that's typically how NAT works, and the external entity will be able to gain the route back to the source even if it's not entirely advertised both directions.

Unfortunately, you just cut your own argument down. If there is a line that allows two nodes to connect to each other then the only limit is the transmission rate of that line to provide the entire route. That's *how* the Internet works. It may not be efficient, but it does work - and (more importantly) has been *proven* to work.

Re:Resilient by design

[vux984]

Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C

I can't tell if I'm not explaining it well, or if you are just being dense. Lets try again, with a specific example.

Lets say your home is on Comcast cable for internet.
Lets say ALL of comcasts perring links get cut. Everyone on comcast loses their internet. You're internet goes down. Your still getting an ip address from comcast, you can ping other comcast users, but you can't reach anything outside the comcast network. With me so far?

Lets say *I* happen to have both comcast cable and verizon wireless internet. So I still have internet.

There is absolutely nothing I can do to share that link back to comcast and give all those comcast users internet. I simply cannot configure my gear to automagically let comcast know that hey I've still got internet, feel free to route some packets through me; so that suddenly you and all comcasts customers have some internet access again.

If comcast has a million customers, and 100,000 of them have random other connections, dialup, sateliite,ceullar, whatever, they all can get internet access, their really is no practical way for them bring *comcast* back 'online' by somehow 'sharing' those links.

As someone who has done networks, only one side really needs to know about the other

Sort of. Yes, I realized myself after posting that you could use NAT to get around the inability to advertise routes on the 'other side', but to ad-hoc a whole major ISP or whole country of ISPs via multiple consumer NAT points is not practical. For starters the NAT tables would be enormous with millions of hosts behind them and you'd need a lot more than regular consumer gear which again limits who can actually build functional links again.

But sure, yes, with the right hardware, and cooperation from carrier engineers something could be done. This doesn't defeat my argument, it demonstrates how centralized it is.

Its not completely centralized, but its obviously not peer to peer either, nor can it easily become peer to peer in the event the big centrallized links got knocked down.

Re:Resilient by design

[TemporalBeing]

Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C

I can't tell if I'm not explaining it well, or if you are just being dense. Lets try again, with a specific example.

Lets say your home is on Comcast cable for internet. Lets say ALL of comcasts perring links get cut. Everyone on comcast loses their internet. You're internet goes down. Your still getting an ip address from comcast, you can ping other comcast users, but you can't reach anything outside the comcast network. With me so far?

Lets say *I* happen to have both comcast cable and verizon wireless internet. So I still have internet.

There is absolutely nothing I can do to share that link back to comcast and give all those comcast users internet. I simply cannot configure my gear to automagically let comcast know that hey I've still got internet, feel free to route some packets through me; so that suddenly you and all comcasts customers have some internet access again.

If comcast has a million customers, and 100,000 of them have random other connections, dialup, sateliite,ceullar, whatever, they all can get internet access, their really is no practical way for them bring *comcast* back 'online' by somehow 'sharing' those links.

Well, depends on the policies - namely around whether you have a public IP or and ability to run as a server; most ISPs allow people to run as servers primarily to please gamers. It's actually easier now to get a public IP and server allowance for consumers than it has generally been in the past. And so technically yes you can. That doesn't mean Comcast would be happy about it, but then for your scenario - they'll probably be wanting to talk to improve things because they won't be happy about not being able to get their own direct line to Verizon, etc.

You can advertise your gateway If (a) you advertise back to Comcast (either by issuing the appropriate BGP or calling them up and working out a deal) or (b) you advertise to people directly (via word of mouth) that they can use you as a gateway (slow expansion but it will work), then yes you can become a gateway for people to get Internet access from outside of Comcast to. It's not difficult, though it may require people to do specific setups, it's still not difficult to do.

Now if you're a business with an SLA with Comcast and you do that...Or if you're a government entity...

As someone who has done networks, only one side really needs to know about the other

Sort of. Yes, I realized myself after posting that you could use NAT to get around the inability to advertise routes on the 'other side', but to ad-hoc a whole major ISP or whole country of ISPs via multiple consumer NAT points is not practical. For starters the NAT tables would be enormous with millions of hosts behind them and you'd need a lot more than regular consumer gear which again limits who can actually build functional links again.

But sure, yes, with the right hardware, and cooperation from carrier engineers something could be done. This doesn't defeat my argument, it demonstrates how centralized it is.

Its not completely centralized, but its obviously not peer to peer either, nor can it easily become peer to peer in the event the big centrallized links got knocked down.

So all of that is solvable by how you design your network - how many resources are employed. NAT isn't required - it's just one example. My point was never that the solution would have the best scalability...just that it would work even if providing a very slow connection. And if the Powers That Be (e.g a dictator) really wanted to restore Internet service to the country, then these kinds of solutions could be employed to do so.

What you're arguing is that it's not a *scalable* solution, but scalability doesn't matter - if it's just one individual doing it, y

Crappy headline - forgot "areas of"

[xxxJonBoyxxx]

>> It's 'Not Realistic' To Shut Down Internet
>> not be possible to shut down areas of the Internet that terrorists use

Big difference. Unfortunately, I see these kind of inquiries leading to a "why don't we have a great big 'murican firewall" train of thought in a year or two.

Re:Crappy headline - forgot "areas of"

[SJHillman]

We can have Nigeria pay for it.

Re:Crappy headline - forgot "areas of"

Well the wealthy Nigerian prince can afford it.

Re:Crappy headline - forgot "areas of"

[ganjadude]

not until we help him get his money back. im on my way to western union right now!!!

Re:Crappy headline - forgot "areas of"

[sims+2]

China has one why can't we have one too?

I'm being sarcastic.

YEs, it does work that way

[phishybongwaters]

Yes, you can knock countries and regions off the internet. But you really can't do it without collateral damage. It depends 100% on the infrastructure supporting their access. You want to knock europe off? Cut the link cables. You want to knock Iran off? Take out their links. It will never be 100% effective but you can do it to some extent. the internet isn't some magical fog, it requires hardware, be that radio towers, access points, or plain old cables. That infrastructure can be taken out. The issue is, by design, the internet can survive that. But you totally can remove a country from the internet for the most part.

Re:YEs, it does work that way

[mrbester]

If you cut the link cables to Europe are you cutting off Europe from you or are you really cutting yourself off from Europe?

Re:YEs, it does work that way

Yes

Re:YEs, it does work that way

[Whorhay]

While countries can be largely knocked off the internet by severing their physical connections, that isn't really the question at issue. The panel was asking about eliminating the ability for terrorists to organize and recruit over the internet, especially through the dark web. The reason this goal isn't the same as cutting off a country's access is that extremists aren't neatly limited to national boundaries and they certainly don't mind those borders when establishing websites for recruitment. It's the same basic problem that terrorists always pose, they are generally indistinguishable from the general public until such time as is too late.

Re:YEs, it does work that way

[techno-vampire]

You want to knock europe off? Cut the link cables.

That's not as easy as it looks. Europe has connections to the US across the Atlantic, to Africa across the Mediterranean and to Asia through Turkey, the Ukraine and Russia. And that's ignoring any satellite links.

Re:YEs, it does work that way

[wyHunter]

If the channel tunnel is closed, it means the Continent is isolated.

Re:YEs, it does work that way

[delt0r]

Err so i lived in Europe for a while. They have this thing called Radio waves that communicate to satellites. Sure it would be reduced bandwidth, but you would not cut us off. Of course most of us would take quite some time to notice since most of the internet Europe uses is also hosted in Europe.

Cyber Command?

[gstoddart]

God these self-aggrandizing titles are annoying.

He's not the "Cyber Commander", he's in charge of an entity whose purview is things related to the interwebs.

But let's stop treating him like he's the fucking Field Marshall of the internet.

Re:Cyber Command?

[inhuman_4]

All hail Web Marshall Mike Rogers, defender of the internets!

Re:Cyber Command?

[tnk1]

His title is Commander, US Cyber Command (USCYBERCOM), which is a unified sub-command of the US Military. Calling him "Cyber Commander" is a stupid journalistic oversimplification, it's not his actual title.

Of course, you can always tell government drones when they refer to "cyber" anything, but that is just the way it goes.

Re:Cyber Command?

[jbmartin6]

I want to see him fight the Aquabat Commander

Re:Cyber Command?

[turbidostato]

"Calling him "Cyber Commander" is a stupid journalistic oversimplification"

As if calling him "Commander, USCYBERCOM" didn't sound stupid enough (isn't it something coming from Mattel?).

Those big boys and their expensive toys...

Re:Cyber Command?

[sociocapitalist]

His title is Commander, US Cyber Command (USCYBERCOM), which is a unified sub-command of the US Military. Calling him "Cyber Commander" is a stupid journalistic oversimplification, it's not his actual title.

Of course, you can always tell government drones when they refer to "cyber" anything, but that is just the way it goes.

Nonsense - his complete profile is right here and his title is definitely Cyber Commander: http://yugioh.wikia.com/wiki/C...

Sure you can...

[Etherwalk]

It's not easy, but it's certainly possible to mostly do that. It's just that it hurts more than it helps in most cases, because it hurts the legit stuff going on. You want to change this, you have to actually incentivize the leaders in those countries to crack down in an effective way.

Re:Sure you can...

[AHuxley]

It also depends on how the US mil would do it in the USA. A legal sounding secret letter and all cell towers in a region of a state, city stop working except for emergency and select secure calls from a pre set list of allowed users.
All the talk of dark optical, dot com built redundancy is often just talk in many parts of the USA. A lot of physical optical might have been built out at some time but only a few active monopolies, cartels, duopolies really control all networks to keep the backhaul working in some regions with the wider national interconnects.
"First map of US fiber infrastructure reveals potential network redundancy issues" ( September 25, 2015,)
"Using multiple service providers to improve redundancy works only if the providers are not sharing fiber optic conduit space. Researchers suggest caution, as infrastructure sharing is common."
http://www.techrepublic.com/ar...
ie US political or mil request to a actual few owners and the local US telco network becomes a sneaker net.
https://en.wikipedia.org/wiki/...
All that would be left working would be any non US/NATO advanced handheld and other sat options with pre paid credit ie voice communications and uploading short vids, images. How many 2way sat providers would honour a request to turn off over the USA?
The only way for the US around that up link that would be mil grade jamming or the hunting down each user with working connected hardware once detected..
Consumer grade internet and telco system is easy for any owner to turn off at a national level. Getting images, video out via a sat uplink would then be a risk.

What are you, my dad?

[wardrich86]

I mean, who else makes threats to "shut down the internet"?

BGP

[Etherwalk]

Not really. The internet was designed to route around damage, not deliberate breakage. It's taken decades to get more secure, and it's still not really there. Any serious network routing guys here want to speculate about how easy deliberate breakage would be? What if you cut all the big pipes and used all the satellite connections to send bad routing updates all the time, for example? I haven't looked at this stuff in years, but vaguely remember stories of small BGP misconfigurations taking most of a country offline.

Re:BGP

[EmperorArthur]

Sure, you can broadcast bad routes. It's happened (on accident) in the past before. Typically backbone providers just filter the network sending those bad routes, and have everything fixed within a day. Worst case scenario is the US ends up being separated from the rest of the internet because nobody trusts us. A much more likely scenario is US free interconnects go away, and we end up having to pay for traffic to take whatever path the other networks deem best when going to the US.

If the US injects bad routing packets through other means, for example by injecting them into foreign satellite providers, then that's straight hacking. Sure the US does hack foreign systems, but this is slap in the face type stuff and would result in political retaliation.

tldr: Sending bad routing updates is not an option. It would backfire spectacularly.

Re:BGP

[Mogster]

One could potentially just NULL route the IPs

ip route a.b.c.d c.i.d.r NULL0

The routes wouldn't propagate to the rest of the Internet, yet traffic would be blocked at the border in both directions. Just convince the the bigger ISPs to add them to their border routers

If they say it isn't...

[mschaffer]

If they say it isn't...you can bet they already have a plan that does.
Of course, it may not quite work.

Just shut down...

[RJFerret]

...the atmosphere, that's where the bad weather is.
...the oceans, that's where the garbage patches are.
...bacteria, that's where infections derive.
...brains, that's where ignorance thrives.

Isn't this like an embargo

[Okian+Warrior]

Yes, you can knock countries and regions off the internet. But you really can't do it without collateral damage.

I agree *completely* that doing this would be less effective than letting things stand.

But I have to ask, in a technical sense why *couldn't* we cut off conflict areas from the rest of the internet?

Taking Syria as an example, we could
1) Disable their top level domain.
2) Identify the .com and .edu websites hosted in Syria and route them to nowhere
3) Identify source connections from within Syria and automatically route *them* nowhere

On #3 above, Syria has only a handful of service providers, and the source address can be identified to belong to one of these. By IP address if nothing else.

Now, people can get around these problems in lots of ways, and some would say *easy* ways. Proxy servers and TOR come to mind. ...but these are generally not free, impose a technical barrier to implement that not everyone can handle, and can in general be detected.

Politically, it's like establishing an embargo on a country.

Taking the recent US embargo on Iran as an example, if the US sees a country violating the embargo (acting as a proxy so that Syrians can access outside the internet), then it can take political actions against the helping country. Just like the economic embargo on Iran.

Like an embargo, it won't help.

But even though it wouldn't *help*, I don't see why it couldn't be *done*.

Can anyone explain better, in a technical sense, why these steps can't be done?

Geo-blocking doesnt require gr8 firewall-o-murca!!

[tommyatomic]

Route-poison traffic to and from location X. People forget that valid Internet communication is 2way. Sure they might be able to broadcast out but not being able to receive in effectively cuts them off. Their internet will get awfully quiet.

The thing is that "head of U.S. Cyber Command" is not saying is that cutting off the internet also cuts off easy common communication for any intelligence resources the US has in that area.

In this instance a communications blackout works against both parties.

Re: Cyber Commander, seroiusly

I wonder if his official rank is commodore 64?

Re:It's a question of politics

[GLMDesigns]

Why be an AC?

That is a rational proposition.

typical helpdesk conversation

This is pretty much off topic.

"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"

Helpdesk: "Have you tried going to google.com?"

Customer: "Oh, that's coming up fine."

Re: Cyber Commander, seroiusly

[Hognoxious]

It's a pretty decent file manager for android. Has a samba plugin that works!

No shit

[softnewsit]

You don't say, cyber-commander!

Re:Fishing Boats Do It

[delt0r]

It "disrupts" and soon the damage is routed around, as it did in this case. Most countries have more than one cable as well. Also A whole country doesn't really work since presumably the terrorist are already in your country and well the Internets within the country are working just fine.

Re:Geo-blocking doesnt require gr8 firewall-o-murc

[hey!]

This is a very good point; however by "area" they don't necessarily mean "geographic area". Let's say you cut off Syria and northern Iraq from the Internet; that doesn't stop ISIS operatives in Europe from using the Internet. It doesn't even really stop Syrians from getting data from to those sites using some kind of gateway (e.g. POTS or packet radio). It just means they won't be streaming Netflix.

The Govt needs taxes.

[speedlaw]

When the Federal Government MADE ME post my taxes monthly on a website, and said I could no longer go physically to my bank, and pay a teller, I knew that the internet was here to stay. If the internet was "shut down", then most of your small businesses could not pay their withholding taxes, as the Govts have pulled banks back from that job.

LOL! Not Fallin' for it.

[BrendaEM]

Nope, not going to buy into it. Just like there was no domestic spying. The government has no off switch, until the use it.

It's easy

[jaq1an]

just cut one of the tubes ;)